Squid Proxy Server Limit the number of simultaneous Web connections from a client with maxconn ACL

Posted on in Categories Howto, Linux, Security, Squid caching server, Tips, Tuning last updated May 4, 2007

So how do you limit the number of simultaneous web connections from a client browser system using the open source Squid proxy server?

You need to use squid ACCESS CONTROLS feature called maxconn. It puts a limit on the maximum number of connections from a single client IP address. It is an ACL that will be true if the user has more than maxconn connections open. It is used in http_access to allow/deny the request just like all the other acl types.

Step # 1: Edit squid conf file

Open /etc/squid/squid.conf file:
# vi /etc/squid/squid.conf

Step # 2: Setup maxconn ACL

Locate your ACL section and append config directive as follows:
acl ACCOUNTSDEPT 192.168.5.0/24
acl limitusercon maxconn 3
http_access deny ACCOUNTSDEPT limitusercon

Where,

  1. acl ACCOUNTSDEPT 192.168.3.0/24 : Our accounts department IP range
  2. acl limitusercon maxconn 3 : Set 3 simultaneous web access from the same client IP
  3. http_access deny ACCOUNTSDEPT limitusercon : Apply ACL

Save and close the file.

Restart squid

Restart the squid server, enter:
# /etc/init.d/squid restart

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

12 comment

  1. sir,
    actually i have tried what you have mentioned here .similar thing has also given in oraeilyy squid definite guide .
    but the problem is no of connection are getting limited please help me out and tell me the reson for it .
    thanking you .

  2. hi dear try this and reply

    acl limited_user src 192.168.1.0/24
    acl maxconn_user maxconn 4
    acl download urlpath_regex (extensions to be locked)
    http_access deny limited_user maxconn_user download
    http_access allow !limited_user

  3. Saqib Rahat,

    Please stop calling people at random. It is illegal to call cell phones for solicitation and I will call the better business bureau on you. Thanks.

    Anonymous

  4. i want to do following
    1. block some sites to everyone except boss
    2 allow only few sites in office time except boss
    3. allow only 4 sites / connections per user ( al-time ) except boss

    1& 2 i was able to do .
    3rd i am not able to do.
    my config file is as follows

    http_port 192.168.1.254:3128 transparent
    acl all src 0.0.0.0/0.0.0.0
    acl 4win maxconn 4
    acl manager proto cache_object
    acl localhost src 127.0.0.1/255.255.255.255
    acl to_localhost dst 127.0.0.0/8
    acl SSL_ports port 443 563
    acl Safe_ports port 80 # http
    acl Safe_ports port 21 # ftp
    acl Safe_ports port 443 563 # https, snews
    acl Safe_ports port 70 # gopher
    acl Safe_ports port 210 # wais
    acl Safe_ports port 1025-65535 # unregistered ports
    acl Safe_ports port 280 # http-mgmt
    acl Safe_ports port 488 # gss-http
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 591 # filemaker
    acl Safe_ports port 777 # multiling http
    acl mynetwork src 192.168.1.0/255.255.255.0
    acl manage src 192.168.1.240 192.168.1.120 192.168.1.121 192.168.1.142
    acl BAD_DOMAINS dstdom_regex “/etc/squid/bad_domains”
    acl GOOD_DOMAINS dstdom_regex “/etc/squid/good_domains”
    acl CONNECT method CONNECT
    acl officetime time SMTWHFS 09:35-17:00
    acl QUERY urlpath_regex cgi-bin ?
    hierarchy_stoplist cgi-bin ?
    memory_pools off
    coredump_dir /var/spool/squid
    cache_dir diskd /var/spool/squid 1000 64 1256
    err_html_text [email protected]
    cache_mgr [email protected]
    deny_info ERR_ACCESS_DENIED all
    ie_refresh on
    log_access deny manage
    no_cache deny QUERY
    cache_access_log /var/log/squid/access.log
    cache_log /var/log/squid/debug
    cache_store_log /var/log/squid/storage
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours
    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern . 0 20% 4320
    half_closed_clients off
    reply_body_max_size 250000 allow mynetwork !manage !officetime
    request_body_max_size 100 KB allow mynetwork !manage !officetime
    reply_body_max_size 500000 allow mynetwork !manage
    reply_body_max_size 0 allow manage
    reply_body_max_size 0 deny all
    http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access deny to_localhost
    #http_access deny mynetwork 4win
    http_access allow manager localhost
    http_access allow mynetwork GOOD_DOMAINS
    http_access allow manage all
    http_access allow mynetwork BAD_DOMAINS !officetime
    http_access allow all mynetwork !officetime
    http_access allow localhost
    http_reply_access allow all
    icp_access allow all
    http_access deny mynetwork BAD_DOMAINS officetime !manage
    http_access deny all !manage

  5. Hello Amit,

    Apart from ur requirement , I need ur help.

    My requirement as follows

    1. I need squid with transparent mode
    2. I have two group. For Group one there is no restriction ,they should access all sites
    For group two there is site restriction, I want block some sites, except blocked sites they
    can access all.

    I am having some confusion . I tried but but i could not succeed.

    Please post the configuration details for my requirement. Because already You have done

    Please I am expecting

    Thanking U

  6. Hello – How to configure squid to answer only the first request to a site.

    People click on the link several times and this causes very slowly.

    Example

    The User Clicked 3 times the link, ordered the squid 3 times the same information.

    How do squid answer only the first request and ignore the next.

    1252081058.075 3557 192.168.0.15 TCP_MISS/200 2994 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/216.97.232.91 text/plain
    1252081058.167 3430 192.168.0.15 TCP_MISS/200 2994 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/216.97.232.91 text/plain
    1252081060.326 5357 192.168.0.15 TCP_MISS/200 26196 GET http://www.atarihq.com/tsr/manuals/dw1.txt – DIRECT/216.97.232.91 text/plain

  7. hi amit,
    i didnt get ur boss ip but i assumesd that manage is ur boss using, just try this
    in #vim /etc/squid/squid.conf conf file just edit
    ” http_access deny mynetwork 4win !manage”
    restart the squid service

  8. I need help. I am usiong proxy authentication. I follow the maxconn but it seems not working. I try to connect using the same username at the same time. both username get connected. I only want one username will be able to connect at the same time. and deny the other user once the first one connected.

    auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
    auth_param basic children 1
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 2 hours
    auth_param basic casesensitive off

    acl ncsa_users proxy_auth REQUIRED
    http_access allow ncsa_users

    acl losers src 192.168.111.0/24
    acl 5CONN maxconn 1
    http_access deny 5CONN losers

Comments are closed.