Squid Proxy Server Limit the number of simultaneous Web connections from a client with maxconn ACL

in Categories Howto, Linux, Security, Squid caching server, Tips, Tuning last updated May 4, 2007

So how do you limit the number of simultaneous web connections from a client browser system using the open source Squid proxy server?

You need to use squid ACCESS CONTROLS feature called maxconn. It puts a limit on the maximum number of connections from a single client IP address. It is an ACL that will be true if the user has more than maxconn connections open. It is used in http_access to allow/deny the request just like all the other acl types.

Step # 1: Edit squid conf file

Open /etc/squid/squid.conf file:
# vi /etc/squid/squid.conf

Step # 2: Setup maxconn ACL

Locate your ACL section and append config directive as follows:
acl limitusercon maxconn 3
http_access deny ACCOUNTSDEPT limitusercon


  1. acl ACCOUNTSDEPT : Our accounts department IP range
  2. acl limitusercon maxconn 3 : Set 3 simultaneous web access from the same client IP
  3. http_access deny ACCOUNTSDEPT limitusercon : Apply ACL

Save and close the file.

Restart squid

Restart the squid server, enter:
# /etc/init.d/squid restart

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Share this on (or read 12 comments/add one below):

12 comment

  1. we are seeking a System engineer for permanent position, who has working experience with Squid. if any one from Miami, FL area interested in that position please let me know on my number 954-839-8629 or you can send me your saqib_staffcc@hotmail.com

    thank you,

    Saqib Rahat
    Technical Recruiter

  2. sir,
    actually i have tried what you have mentioned here .similar thing has also given in oraeilyy squid definite guide .
    but the problem is no of connection are getting limited please help me out and tell me the reson for it .
    thanking you .

  3. hi dear try this and reply

    acl limited_user src
    acl maxconn_user maxconn 4
    acl download urlpath_regex (extensions to be locked)
    http_access deny limited_user maxconn_user download
    http_access allow !limited_user

  4. Saqib Rahat,

    Please stop calling people at random. It is illegal to call cell phones for solicitation and I will call the better business bureau on you. Thanks.


  5. i want to do following
    1. block some sites to everyone except boss
    2 allow only few sites in office time except boss
    3. allow only 4 sites / connections per user ( al-time ) except boss

    1& 2 i was able to do .
    3rd i am not able to do.
    my config file is as follows

    http_port transparent
    acl all src
    acl 4win maxconn 4
    acl manager proto cache_object
    acl localhost src
    acl to_localhost dst
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl mynetwork src
    acl manage src
    acl BAD_DOMAINS dstdom_regex “/etc/squid/bad_domains”
    acl GOOD_DOMAINS dstdom_regex “/etc/squid/good_domains”
    acl CONNECT method CONNECT
    acl officetime time SMTWHFS 09:35-17:00
    acl QUERY urlpath_regex cgi-bin ?
    hierarchy_stoplist cgi-bin ?
    memory_pools off
    coredump_dir /var/spool/squid
    cache_dir diskd /var/spool/squid 1000 64 1256
    err_html_text root@localhost
    cache_mgr root@localhost
    deny_info ERR_ACCESS_DENIED all
    ie_refresh on
    log_access deny manage
    no_cache deny QUERY
    cache_access_log /var/log/squid/access.log
    cache_log /var/log/squid/debug
    cache_store_log /var/log/squid/storage
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    half_closed_clients off
    reply_body_max_size 250000 allow mynetwork !manage !officetime
    request_body_max_size 100 KB allow mynetwork !manage !officetime
    reply_body_max_size 500000 allow mynetwork !manage
    reply_body_max_size 0 allow manage
    reply_body_max_size 0 deny all
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access deny to_localhost
    #http_access deny mynetwork 4win
    http_access allow manager localhost
    http_access allow mynetwork GOOD_DOMAINS
    http_access allow manage all
    http_access allow mynetwork BAD_DOMAINS !officetime
    http_access allow all mynetwork !officetime
    http_access allow localhost
    http_reply_access allow all
    icp_access allow all
    http_access deny mynetwork BAD_DOMAINS officetime !manage
    http_access deny all !manage

  6. Hello Amit,

    Apart from ur requirement , I need ur help.

    My requirement as follows

    1. I need squid with transparent mode
    2. I have two group. For Group one there is no restriction ,they should access all sites
    For group two there is site restriction, I want block some sites, except blocked sites they
    can access all.

    I am having some confusion . I tried but but i could not succeed.

    Please post the configuration details for my requirement. Because already You have done

    Please I am expecting

    Thanking U

  7. Hello – How to configure squid to answer only the first request to a site.

    People click on the link several times and this causes very slowly.


    The User Clicked 3 times the link, ordered the squid 3 times the same information.

    How do squid answer only the first request and ignore the next.

    1252081058.075 3557 TCP_MISS/200 2994 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/ text/plain
    1252081058.167 3430 TCP_MISS/200 2994 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/ text/plain
    1252081060.326 5357 TCP_MISS/200 26196 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/ text/plain

  8. hi amit,
    i didnt get ur boss ip but i assumesd that manage is ur boss using, just try this
    in #vim /etc/squid/squid.conf conf file just edit
    ” http_access deny mynetwork 4win !manage”
    restart the squid service

  9. I need help. I am usiong proxy authentication. I follow the maxconn but it seems not working. I try to connect using the same username at the same time. both username get connected. I only want one username will be able to connect at the same time. and deny the other user once the first one connected.

    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
    auth_param basic children 1
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours
    auth_param basic casesensitive off

    acl ncsa_users proxy_auth REQUIRED
    http_access allow ncsa_users

    acl losers src
    acl 5CONN maxconn 1
    http_access deny 5CONN losers

    Have a question? Post it on our forum!