≡ Menu

Squid Proxy Server Limit the number of simultaneous Web connections from a client with maxconn ACL

So how do you limit the number of simultaneous web connections from a client browser system using the open source Squid proxy server?

You need to use squid ACCESS CONTROLS feature called maxconn. It puts a limit on the maximum number of connections from a single client IP address. It is an ACL that will be true if the user has more than maxconn connections open. It is used in http_access to allow/deny the request just like all the other acl types.

Step # 1: Edit squid conf file

Open /etc/squid/squid.conf file:
# vi /etc/squid/squid.conf

Step # 2: Setup maxconn ACL

Locate your ACL section and append config directive as follows:
acl limitusercon maxconn 3
http_access deny ACCOUNTSDEPT limitusercon


  1. acl ACCOUNTSDEPT : Our accounts department IP range
  2. acl limitusercon maxconn 3 : Set 3 simultaneous web access from the same client IP
  3. http_access deny ACCOUNTSDEPT limitusercon : Apply ACL

Save and close the file.

Restart squid

Restart the squid server, enter:
# /etc/init.d/squid restart

Share this on:

{ 12 comments… add one }

  • Saqib June 12, 2007, 2:31 pm

    we are seeking a System engineer for permanent position, who has working experience with Squid. if any one from Miami, FL area interested in that position please let me know on my number 954-839-8629 or you can send me your saqib_staffcc@hotmail.com

    thank you,

    Saqib Rahat
    Technical Recruiter

  • nixCraft June 12, 2007, 4:45 pm


    You can post job UNIX/Linux specific jobs here

  • raghav February 8, 2008, 9:57 pm

    actually i have tried what you have mentioned here .similar thing has also given in oraeilyy squid definite guide .
    but the problem is no of connection are getting limited please help me out and tell me the reson for it .
    thanking you .

  • Muhammad Tahaa March 21, 2008, 1:04 pm

    hi dear try this and reply

    acl limited_user src
    acl maxconn_user maxconn 4
    acl download urlpath_regex (extensions to be locked)
    http_access deny limited_user maxconn_user download
    http_access allow !limited_user

  • Billy October 7, 2008, 7:14 pm

    Saqib Rahat,

    Please stop calling people at random. It is illegal to call cell phones for solicitation and I will call the better business bureau on you. Thanks.


  • amit March 6, 2009, 7:11 am

    i want to do following
    1. block some sites to everyone except boss
    2 allow only few sites in office time except boss
    3. allow only 4 sites / connections per user ( al-time ) except boss

    1& 2 i was able to do .
    3rd i am not able to do.
    my config file is as follows

    http_port transparent
    acl all src
    acl 4win maxconn 4
    acl manager proto cache_object
    acl localhost src
    acl to_localhost dst
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl mynetwork src
    acl manage src
    acl BAD_DOMAINS dstdom_regex “/etc/squid/bad_domains”
    acl GOOD_DOMAINS dstdom_regex “/etc/squid/good_domains”
    acl CONNECT method CONNECT
    acl officetime time SMTWHFS 09:35-17:00
    acl QUERY urlpath_regex cgi-bin \?
    hierarchy_stoplist cgi-bin \?
    memory_pools off
    coredump_dir /var/spool/squid
    cache_dir diskd /var/spool/squid 1000 64 1256
    err_html_text root@localhost
    cache_mgr root@localhost
    deny_info ERR_ACCESS_DENIED all
    ie_refresh on
    log_access deny manage
    no_cache deny QUERY
    cache_access_log /var/log/squid/access.log
    cache_log /var/log/squid/debug
    cache_store_log /var/log/squid/storage
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    half_closed_clients off
    reply_body_max_size 250000 allow mynetwork !manage !officetime
    request_body_max_size 100 KB allow mynetwork !manage !officetime
    reply_body_max_size 500000 allow mynetwork !manage
    reply_body_max_size 0 allow manage
    reply_body_max_size 0 deny all
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access deny to_localhost
    #http_access deny mynetwork 4win
    http_access allow manager localhost
    http_access allow mynetwork GOOD_DOMAINS
    http_access allow manage all
    http_access allow mynetwork BAD_DOMAINS !officetime
    http_access allow all mynetwork !officetime
    http_access allow localhost
    http_reply_access allow all
    icp_access allow all
    http_access deny mynetwork BAD_DOMAINS officetime !manage
    http_access deny all !manage

  • jp June 3, 2009, 11:16 am

    Hello Amit,

    Apart from ur requirement , I need ur help.

    My requirement as follows

    1. I need squid with transparent mode
    2. I have two group. For Group one there is no restriction ,they should access all sites
    For group two there is site restriction, I want block some sites, except blocked sites they
    can access all.

    I am having some confusion . I tried but but i could not succeed.

    Please post the configuration details for my requirement. Because already You have done

    Please I am expecting

    Thanking U

  • seneviratne July 22, 2009, 8:20 am

    Hello friend

    How do i add cilint pc to squid connfigure file

  • paulo September 4, 2009, 4:33 pm

    Hello – How to configure squid to answer only the first request to a site.

    People click on the link several times and this causes very slowly.


    The User Clicked 3 times the link, ordered the squid 3 times the same information.

    How do squid answer only the first request and ignore the next.

    1252081058.075 3557 TCP_MISS/200 2994 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/ text/plain
    1252081058.167 3430 TCP_MISS/200 2994 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/ text/plain
    1252081060.326 5357 TCP_MISS/200 26196 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/ text/plain

  • pradeep March 22, 2010, 7:58 am

    hi amit,
    i didnt get ur boss ip but i assumesd that manage is ur boss using, just try this
    in #vim /etc/squid/squid.conf conf file just edit
    ” http_access deny mynetwork 4win !manage”
    restart the squid service

  • heddar March 22, 2011, 9:27 pm

    I learned a lot from your topics, your website has a great place in my bookmark list

  • RODEL May 6, 2011, 7:29 am

    I need help. I am usiong proxy authentication. I follow the maxconn but it seems not working. I try to connect using the same username at the same time. both username get connected. I only want one username will be able to connect at the same time. and deny the other user once the first one connected.

    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
    auth_param basic children 1
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours
    auth_param basic casesensitive off

    acl ncsa_users proxy_auth REQUIRED
    http_access allow ncsa_users

    acl losers src
    acl 5CONN maxconn 1
    http_access deny 5CONN losers

Leave a Comment