[ILUG] Re: time based acl's for squid.

[Francis Daly]

On 08/08/06, Owen O' Shaughnessy <owen.oshaughnessy at gmail.com> wrote:
> On 8/8/06, Barry O'Donovan wrote:

> > I would think that the real problem you may have with using Squid is
> > actually
> > kicking the user off once their time has expired.
>
> I don't percieve that to be a problem, can do ip address acl
> manipulation without having to restart squid (or at least my memory
> tells me so), so i don't believe any other acl is going to be
> different.

You shouldn't even have to do that much.

Proxy authentication works because the browser sends the credentials
with every http request, and squid (in theory) checks the credentials
against the authenticating service for every request. Unless the
authenticator okays it, the request is denied.

In practice, in order to avoid hammering the authenticator, squid
caches credential validity for a time period -- so if the first
request has valid credentials, any subsequent request with the same
credentials is accepted by squid without it talking to the back-end.

Lower the credential cache time to a couple of minutes, and your users
may get 62 minutes of access instead of 60, but they won't get
unlimited.

And the proxy authentication failure error message is clear enough
that the user should know what to do in order to continue.

This all assumes that the browser knows it is using a proxy -- it is
not clear to me that "transparent proxy with user authentication" is
something you can expect to work unless you control all of the
clients.

	f