On 31/10/20 1:34 pm, roee klinger wrote:
Hey,
I have Squid configured to send users to different outgoing interface like so:
..
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/htpassword
acl acl_for_user3002 proxy_auth user2
tcp_outgoing_address 192.168.8.12 acl_for_user3002
http_port 3002 name=3002
No need to name a *_port like this. The default name is the first
parameter string ("3002" on this line).
http_access allow authenticated
..
When I wanted to change the username:password for user2, I run a bash script to change it
in squid.conf and also in htpassword and then I run "squid -k reconfigure", if
I don't reconfigure the old user still has access to the proxy and the new one doesn't
for about 30 minutes.
No need to restart for that change. The helper you have there will
automatically detect changes to the htpassword file and reload it.
It is a little odd that the new user was not able to authenticate. Check
that your test did not lookup and cache a non-existence result for them
prior to being added.
The delay is due to the credentials being valid for a period of time. To
reduce workload on the auth system Squid caches credential details for a
while.
Set "auth_param basic credentialsttl " to shorter values to reduce the
delay (default is 2hrs).
I am expecting to have 100s of users soon that will change credentials often,
and also I would like to blacklist websites often and on the fly, so I was
searching for a better way to manage this without reconfiguring every time,
since sometimes a reconfigure can take up to 10-15 seconds.
This helper does not need a reconfigure at all as far as I can tell from
the code.
All the reconfigure was doing for you previously was triggering an early
prune of the records in the credentials cache. Probably why you saw
about 30min delay instead of about 2hrs.
I am new to Squid and wasn't able to find any info on this, am I doing this
currently or there is a better way to change users/ACLs on the fly without
reloading Squid?
Config changes in squid.conf itself needs a reconfigure or sometimes a
restart.
For auth and ACLs whose values that come into Squid from a helper it
depends on the helper itself. Most can auto-detect changes to their
background databases and not need anything from Squid to update the
outputs. All helpers do have some form of caching of their results by
Squid, so there are settings in squid.conf to tune that to your needs -
as you can see from the auth issue above.
For ACLs with values that are expected to change often it is best to use
an external_acl_type helper that manages the updates or fetches from
somewhere the updates are handled without a reload.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
