Squid Proxy Server Limit the number of simultaneous Web connections from a client with maxconn ACL

by on May 4, 2007 · 12 comments· LAST UPDATED May 4, 2007

in , ,

So how do you limit the number of simultaneous web connections from a client browser system using the open source Squid proxy server?

You need to use squid ACCESS CONTROLS feature called maxconn. It puts a limit on the maximum number of connections from a single client IP address. It is an ACL that will be true if the user has more than maxconn connections open. It is used in http_access to allow/deny the request just like all the other acl types.

Step # 1: Edit squid conf file

Open /etc/squid/squid.conf file:
# vi /etc/squid/squid.conf

Step # 2: Setup maxconn ACL

Locate your ACL section and append config directive as follows:
acl ACCOUNTSDEPT 192.168.5.0/24
acl limitusercon maxconn 3
http_access deny ACCOUNTSDEPT limitusercon

Where,

  1. acl ACCOUNTSDEPT 192.168.3.0/24 : Our accounts department IP range
  2. acl limitusercon maxconn 3 : Set 3 simultaneous web access from the same client IP
  3. http_access deny ACCOUNTSDEPT limitusercon : Apply ACL

Save and close the file.

Restart squid

Restart the squid server, enter:
# /etc/init.d/squid restart

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 12 comments… read them below or add one }

1 Saqib June 12, 2007 at 2:31 pm

we are seeking a System engineer for permanent position, who has working experience with Squid. if any one from Miami, FL area interested in that position please let me know on my number 954-839-8629 or you can send me your saqib_staffcc@hotmail.com

thank you,

Saqib Rahat
Technical Recruiter

Reply

2 nixCraft June 12, 2007 at 4:45 pm

Saqib,

You can post job UNIX/Linux specific jobs here

Reply

3 raghav February 8, 2008 at 9:57 pm

sir,
actually i have tried what you have mentioned here .similar thing has also given in oraeilyy squid definite guide .
but the problem is no of connection are getting limited please help me out and tell me the reson for it .
thanking you .

Reply

4 Muhammad Tahaa March 21, 2008 at 1:04 pm

hi dear try this and reply

acl limited_user src 192.168.1.0/24
acl maxconn_user maxconn 4
acl download urlpath_regex (extensions to be locked)
http_access deny limited_user maxconn_user download
http_access allow !limited_user

Reply

5 Billy October 7, 2008 at 7:14 pm

Saqib Rahat,

Please stop calling people at random. It is illegal to call cell phones for solicitation and I will call the better business bureau on you. Thanks.

Anonymous

Reply

6 amit March 6, 2009 at 7:11 am

i want to do following
1. block some sites to everyone except boss
2 allow only few sites in office time except boss
3. allow only 4 sites / connections per user ( al-time ) except boss

1& 2 i was able to do .
3rd i am not able to do.
my config file is as follows

http_port 192.168.1.254:3128 transparent
acl all src 0.0.0.0/0.0.0.0
acl 4win maxconn 4
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl mynetwork src 192.168.1.0/255.255.255.0
acl manage src 192.168.1.240 192.168.1.120 192.168.1.121 192.168.1.142
acl BAD_DOMAINS dstdom_regex “/etc/squid/bad_domains”
acl GOOD_DOMAINS dstdom_regex “/etc/squid/good_domains”
acl CONNECT method CONNECT
acl officetime time SMTWHFS 09:35-17:00
acl QUERY urlpath_regex cgi-bin \?
hierarchy_stoplist cgi-bin \?
memory_pools off
coredump_dir /var/spool/squid
cache_dir diskd /var/spool/squid 1000 64 1256
err_html_text root@localhost
cache_mgr root@localhost
deny_info ERR_ACCESS_DENIED all
ie_refresh on
log_access deny manage
no_cache deny QUERY
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/debug
cache_store_log /var/log/squid/storage
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
half_closed_clients off
reply_body_max_size 250000 allow mynetwork !manage !officetime
request_body_max_size 100 KB allow mynetwork !manage !officetime
reply_body_max_size 500000 allow mynetwork !manage
reply_body_max_size 0 allow manage
reply_body_max_size 0 deny all
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
#http_access deny mynetwork 4win
http_access allow manager localhost
http_access allow mynetwork GOOD_DOMAINS
http_access allow manage all
http_access allow mynetwork BAD_DOMAINS !officetime
http_access allow all mynetwork !officetime
http_access allow localhost
http_reply_access allow all
icp_access allow all
http_access deny mynetwork BAD_DOMAINS officetime !manage
http_access deny all !manage

Reply

7 jp June 3, 2009 at 11:16 am

Hello Amit,

Apart from ur requirement , I need ur help.

My requirement as follows

1. I need squid with transparent mode
2. I have two group. For Group one there is no restriction ,they should access all sites
For group two there is site restriction, I want block some sites, except blocked sites they
can access all.

I am having some confusion . I tried but but i could not succeed.

Please post the configuration details for my requirement. Because already You have done

Please I am expecting

Thanking U

Reply

8 seneviratne July 22, 2009 at 8:20 am

Hello friend

How do i add cilint pc to squid connfigure file

Reply

9 paulo September 4, 2009 at 4:33 pm

Hello – How to configure squid to answer only the first request to a site.

People click on the link several times and this causes very slowly.

Example

The User Clicked 3 times the link, ordered the squid 3 times the same information.

How do squid answer only the first request and ignore the next.

1252081058.075 3557 192.168.0.15 TCP_MISS/200 2994 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/216.97.232.91 text/plain
1252081058.167 3430 192.168.0.15 TCP_MISS/200 2994 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/216.97.232.91 text/plain
1252081060.326 5357 192.168.0.15 TCP_MISS/200 26196 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/216.97.232.91 text/plain

Reply

10 pradeep March 22, 2010 at 7:58 am

hi amit,
i didnt get ur boss ip but i assumesd that manage is ur boss using, just try this
in #vim /etc/squid/squid.conf conf file just edit
” http_access deny mynetwork 4win !manage”
restart the squid service

Reply

11 heddar March 22, 2011 at 9:27 pm

I learned a lot from your topics, your website has a great place in my bookmark list
..

Reply

12 RODEL May 6, 2011 at 7:29 am

I need help. I am usiong proxy authentication. I follow the maxconn but it seems not working. I try to connect using the same username at the same time. both username get connected. I only want one username will be able to connect at the same time. and deny the other user once the first one connected.

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 1
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl ncsa_users proxy_auth REQUIRED
http_access allow ncsa_users

acl losers src 192.168.111.0/24
acl 5CONN maxconn 1
http_access deny 5CONN losers

Reply

Leave a Comment

Previous post:

Next post: