Squid web proxy
Links: linux/tinyproxy
2022 rate-limit certain clients through Squid 🐙🦑
https://www.serverwatch.com/guides/reining-in-bandwidth-with-squid-proxying/
- Config settings (class 1 , shared by all)
- delay_pools 1 ## Number of pools
- delay_class 1 1 ## pool_count class_ type
- # 256 Kbit/s fill rate, 1024 Kbit/s reserve
- delay_parameters 1 32000/128000 ## pool_coumt Rate_kB/s
- acl All src 0/0
- delay_access 1 allow All
- Config settings (class 2 , individual maxs kB/s)
- delay_pools 1 ## Number of pools
- delay_class 1 2 ## pool_count class_type
- # 256 Kbit/s fill rate, 1024 Kbit/s reserve, 64 per ip
- delay_parameters 1 32000/128000 8000/8000 ## pool_count Total_kB/s Indiv_kB/s
- acl All src 0/0
- delay_access 1 allow All
2022 - NTLM bad idea now
Update from AWS support for NTLM authentication not supported through loadbalancer.
The specific issue with NTLM and HTTP reverse proxies like ALB is that IIS processes the NTLM authentication and applies it to the TCP connection that the HTTP request came over. ALB re-uses these TCP connections to targets for requests from multiple clients. Since the backend target (IIS) has now authenticated a TCP connection for a user, the next request (possibly from a different user) will be considered authenticated as the original user. NTLM is outdated and should be avoided. You can use Kerberos authentication to essentially perform what Windows authentication does
2009
- My goal is to keep notes on how to enable Windows AD authentication on Squid3.x
http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory
I joined the domain using "net rpc join -S PDC -U Administrator" # wbinfo -t > checking the trust secret via RPC calls succeeded > # wbinfo -u # wbinfo -g
http://www.cyberciti.biz/faq/squid-ntlm-authentication-configuration-howto/
- Not tested
#auth_param negotiate program /usr/local/squid/bin/ntlm_auth --helper-protocol=gs s-spnego
domain=> [domain] auth_param ntlm program /usr/lib/squid3/ntlm_auth -d domain/serv1 domain/serv2
acl Ip_Block_Range url_regex [0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\:443 http_access deny Ip_Block_Range
Since FTP uses numeric IPs the Skype ACL must be exact including the port.
# Skype acl numeric_IPs url_regex ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:443 acl Skype_UA browser ^skype^ http_access deny numeric_IPS http_access deny Skype_UA
...