Squid for the smallest. Part 4 We cut the channel
In the previous topic, we considered programs for analyzing Squid logs, with which you can see who, where, when you went. You can also see the size of the file being downloaded. Everything has become super , now you can “blackmail” those who are pumping porn, or sitting in social networks , the best continuation of this epic, which is not known when it will end :) will be limiting the download speed for all sorts of groups of people. Well, are you ready? :) Go…
Story:
Introduction to SQUID
Customization
Statistics
Create ACL groups:
So we created lists, or rather three groups of users whose addresses are contained in files. Since ips have been assigned to me, and they don’t agree on what to download and what not, it will be easier to write their IP to the file than to create ranges, but whatever you want :)
Example of the contents of a file with a list
Now it's time to create a list of denied permissions:
Now that's all, now we need to deal with these delay pools with which some do not dare to work, because they do not understand. And I will tell you that if you eat, everything will be fine, and there will be no problems, but if not, write to kamenty, I will write your delay pools for you until you understand :)
In a squid there are three types of delay pools, speaking in Russian, I will continue to operate, buckets. Suppose we have a bucket to which the megalithic channel is connected, water is poured into it without restrictions, except for the provider, which limited it to us, you can create three types of buckets, on the main bucket, on the subnet bucket, and on the concrete bucket (for a specific IP ). I try again to wash, we have water in the main bucket (if you don’t like this comparison, then think that this is a buffer), there is a squid in it that gives water to everyone who needs it.
delay class 1 1 # creates the first bucket with a global limit
ie, everyone who will take water from the first bucket, then they will have a restriction.
Delay class 1 2 # creates the first bucket with a restriction on the network, that is, 192.168.0.0/24 or, well, why do you register yourself? Now I explain:
Suppose you have 3 under the network, 192.168.0.0, 192.168.1.0 192.168.200.0. in her n-th number of swinging. You have a channel of 1024kbit / s. and you decided to divide 340 kbit / s into each subnet. So, if Vasya from the 0 subnet began to download the movie, then Petya from the 1 subnet also began to download a new distro linux, and Masha began to download a new program for ... for chegonibud ...
In such a situation, each speed will be 340 kbps, or 42 kb / s. If at this moment Fedya from subnet 0 decided to download something from him and Vasya will share the speed in half, it will be 170, if 3 more rockers will be connected to the pet, then the speed will be shared by 4 and the speed will be 85. Well, Masha will download alone ... TotalLog
As a result, what we get, the one who shakes the movie cuts the channel to the one who shakes at this moment a very important file. And Swinging Masha does not bother anyone, because at this stage the subnet is cut, not the global bucket ... I hope you understand. If not,
We continue ...
delay class 1 3 # Creates a bucket for cutting speed over IP
Here is our example where you study the action of Veder ...
we see that Masha is cutting the channel wrong! What should we do? Correctly chop off the download of its software, how to cut the speed of the jump in files, we will while working with configs. I can only say that we specifically created two archive and soft regexes for this, we clamp the hose onto the program as much as 50kbit / s. Now, if you did not limit the speed on the bucket of the subnet (-1 / -1 is done), then you can see what it gives us:
Unlimited Subnets:
Channel 1024 (Full load) {:
192.168.0.0_470 (Full load) {:
Vasya: 235
Fedya: 235}
192.168.1.0_470 (Full load) {:
Petya: 117.5
192.168.1.28: 117.5
192.168.1.30: 117.5
192.168.1.2: 117,5}
192.168.200_80 (Full load) {:
Masha: 80}}
As you can see, such a restriction gives other participants of data exchange through buckets a significant increase, but what would happen if you limited the speed of the bucket to the net to 340:
Channel 1024 (74% load) {:
192.168.0.0_340 (Full load) {:
Vasya: 170
Fedya: 170}
192.168.1.0_340 (Full load) {:
Petya: 85
192.168.1.28: 85
192.168.1.30: 85
192.168.1.2: 85}
192.168.200_80 (Full load) {:
Masha: 80}}
As you can see, in this situation, only those who will download from the 200 subnet, the neighbors of the machine, win! How to limit and what you decide, my business will explain to you how. And to recommend that.
Going further ...
Now let's set up a small template, according to which we will receive an Internet:
That seems to be all. I recommend that you first find out who shakes what, and only then begin to cut the channel for them, because this is the truest way ...
I will describe the situation in our example, and I will comment in detail on all the parameters.
that's all, the sixth bucket is of the greatest interest:
each of it pumps everything at a speed of 10, if it exceeds the speed in a sub network, then the cutting channel starts,
If from the other subnetworks they also download, and there are more than two of them, then even then the speed starts to cut ...
If you do on fryakha, then at assembly of a squid surely collect with an option - enable-delay-pools!
PS I tried very hard to chew everything as clearly as possible. If I helped you figure it out, it means that I wrote this topic for good reason. I'll be very happy. If something is not clear, ask questions, be sure to answer.
PSS to write all this to the dream helped the default configuration of the squid, if you start reading it, you can find out a bunch of new ones!
PSSS Dear KorP to regret now there is no time for the domain, so while there is something in my head I am writing
UPD.
Crosspost from my blog
Story:
Introduction to SQUID
Customization
Statistics
Start. Create ACL
Create ACL groups:
acl mp3_deny src "/etc/squid/lists/mp3_deny_users"
acl super_users src "/etc/squid/lists/super_users"
acl deny_all src "/etc/squid/lists/deny_all_users"
So we created lists, or rather three groups of users whose addresses are contained in files. Since ips have been assigned to me, and they don’t agree on what to download and what not, it will be easier to write their IP to the file than to create ranges, but whatever you want :)
acl mego_super_user src 192.168.0.0-256 # =)Example of the contents of a file with a list
nano "/etc/squid/lists/mp3_deny_users"
192.168.0.213
192.168.0.75
192.168.0.52
195.168.0.254
Now it's time to create a list of denied permissions:
acl mobile urlpath_regex -i (\.thm|\.sis|\.swf|\.jad|\.jar|\.3gp|\.mp4)((\#|\&|\?|\s){1}|$)
acl multimedia urlpath_regex -i (\.swf|\.mp3|\.m3u|\.flv|\.wav|\.vqf|\.avi|\.wmv|\.mpeg|\.mp|\.asf|\.mpe|\.dat|\.mpg|\.wma|\.midi|\.aiff|\.au|\.qt|\.ram|\.rm|\.iso|\.raw|\.mov)((\#|\&|\?|\s){1}|$)
acl archive urlpath_regex -i (\.tar.gz|\.gz|\.tar|\.zip|\.rar|\.cab|\.arj|\.lzh|\.ace|\.7-zip|\.gzip|\.uue|\.bz2|\.iso)((\#|\&|\?|\s){1}|$)
acl soft urlpath_regex -i (\.exe|\.msi|\.rpm)((\#|\&|\?|\s){1}|$)
acl mp3 urlpath_regex -i (\.wav|\.mp3|\.mp4)((\#|\&|\?|\s){1}|$)
The most important thing. What is it, DELAY POOL
Now that's all, now we need to deal with these delay pools with which some do not dare to work, because they do not understand. And I will tell you that if you eat, everything will be fine, and there will be no problems, but if not, write to kamenty, I will write your delay pools for you until you understand :)
In a squid there are three types of delay pools, speaking in Russian, I will continue to operate, buckets. Suppose we have a bucket to which the megalithic channel is connected, water is poured into it without restrictions, except for the provider, which limited it to us, you can create three types of buckets, on the main bucket, on the subnet bucket, and on the concrete bucket (for a specific IP ). I try again to wash, we have water in the main bucket (if you don’t like this comparison, then think that this is a buffer), there is a squid in it that gives water to everyone who needs it.
delay class 1 1 # creates the first bucket with a global limit
ie, everyone who will take water from the first bucket, then they will have a restriction.
Delay class 1 2 # creates the first bucket with a restriction on the network, that is, 192.168.0.0/24 or, well, why do you register yourself? Now I explain:
Suppose you have 3 under the network, 192.168.0.0, 192.168.1.0 192.168.200.0. in her n-th number of swinging. You have a channel of 1024kbit / s. and you decided to divide 340 kbit / s into each subnet. So, if Vasya from the 0 subnet began to download the movie, then Petya from the 1 subnet also began to download a new distro linux, and Masha began to download a new program for ... for chegonibud ...
In such a situation, each speed will be 340 kbps, or 42 kb / s. If at this moment Fedya from subnet 0 decided to download something from him and Vasya will share the speed in half, it will be 170, if 3 more rockers will be connected to the pet, then the speed will be shared by 4 and the speed will be 85. Well, Masha will download alone ... TotalLog
1024( ){:
192.168.0.0_340 ( ){:
: 170
: 170}
192.168.1.0_340( ){:
: 85
192.168.1.28: 85
192.168.1.30: 85
192.168.1.2 : 85}
192.168.200_340( ){:
: 340}}As a result, what we get, the one who shakes the movie cuts the channel to the one who shakes at this moment a very important file. And Swinging Masha does not bother anyone, because at this stage the subnet is cut, not the global bucket ... I hope you understand. If not,
loop;We continue ...
delay class 1 3 # Creates a bucket for cutting speed over IP
Here is our example where you study the action of Veder ...
we see that Masha is cutting the channel wrong! What should we do? Correctly chop off the download of its software, how to cut the speed of the jump in files, we will while working with configs. I can only say that we specifically created two archive and soft regexes for this, we clamp the hose onto the program as much as 50kbit / s. Now, if you did not limit the speed on the bucket of the subnet (-1 / -1 is done), then you can see what it gives us:
Unlimited Subnets:
Channel 1024 (Full load) {:
192.168.0.0_470 (Full load) {:
Vasya: 235
Fedya: 235}
192.168.1.0_470 (Full load) {:
Petya: 117.5
192.168.1.28: 117.5
192.168.1.30: 117.5
192.168.1.2: 117,5}
192.168.200_80 (Full load) {:
Masha: 80}}
As you can see, such a restriction gives other participants of data exchange through buckets a significant increase, but what would happen if you limited the speed of the bucket to the net to 340:
Channel 1024 (74% load) {:
192.168.0.0_340 (Full load) {:
Vasya: 170
Fedya: 170}
192.168.1.0_340 (Full load) {:
Petya: 85
192.168.1.28: 85
192.168.1.30: 85
192.168.1.2: 85}
192.168.200_80 (Full load) {:
Masha: 80}}
As you can see, in this situation, only those who will download from the 200 subnet, the neighbors of the machine, win! How to limit and what you decide, my business will explain to you how. And to recommend that.
Going further ...
We are developing an Internet traffic pattern
Now let's set up a small template, according to which we will receive an Internet:
- We recall that we have lists by extension: mobile, multimedia, archive, soft, mp3
- Since we have created 4 ACl groups, they can differ from the main ones, we will calculate the channel on 4 subnets
- Now You need to see who your channel is most clogged with: downloading files, music, movies. I have those who download files for mobile, I found out with the help of SqStat from before. parts , you should also watch the one who shakes during the day, so that then the wall does not beat and without ruling our template, while someone began to download the next movie
- Find those personalities who are gods, well, or almost :) usually managers are allowed more, well, except for swinging films at high speeds that are larger than half the channel width :)
That seems to be all. I recommend that you first find out who shakes what, and only then begin to cut the channel for them, because this is the truest way ...
Work with config
I will describe the situation in our example, and I will comment in detail on all the parameters.
delay_pools 6 # , ,
delay_class 1 2 # mp3-
delay_class 2 2 # 0
delay_class 3 2 # 1
delay_class 4 2 # 200
delay_class 5 3 # , :)
delay_class 6 3 #
# , ...© =)
# , , ...
# 0 - acl mp3_deny src
# 1 - acl super_users
# 200 - acl deny_all
delay_access 1 allow mp3_deny_src
delay_access 1 allow mp3
delay_access 1 deny all
# () mp3_deny_src, 3 , 10 .
delay_access 2 allow mp3_deny_src
delay_access 2 deny all
# mp3_deny_src, 3 :)
delay_access 3 allow super_users
delay_access 3 deny all
# , , 42
delay_access 4 allow deny_all
delay_access 4 allow mobile archive soft mp3 # , :
# deny_all,
#delay_access 4 allow multimedia
#delay_access 4 allow archive
#delay_access 4 allow soft
#delay_access 4 allow mp3
# , 4 , ,
delay_access 4 deny all
delay_access 5 allow masha
delay_access 5 deny all
# 10
delay_access 6 allow mego_super_user
delay_access 6 deny all
# .
# ( ) , .
delay_parameters 1 -1/-1 10000/10000 # 10
delay_parameters 2 42000/42000 42000/42000
delay_parameters 3 42000/42000 42000/42000
delay_parameters 4 42000/42000 42000/42000
delay_parameters 5 10000/10000 10000/30000 10000/30000 # 10
delay_parameters 6 50000/70000 30000/35000 10000/15000
that's all, the sixth bucket is of the greatest interest:
each of it pumps everything at a speed of 10, if it exceeds the speed in a sub network, then the cutting channel starts,
If from the other subnetworks they also download, and there are more than two of them, then even then the speed starts to cut ...
If you do on fryakha, then at assembly of a squid surely collect with an option - enable-delay-pools!
PS I tried very hard to chew everything as clearly as possible. If I helped you figure it out, it means that I wrote this topic for good reason. I'll be very happy. If something is not clear, ask questions, be sure to answer.
PSS to write all this to the dream helped the default configuration of the squid, if you start reading it, you can find out a bunch of new ones!
PSSS Dear KorP to regret now there is no time for the domain, so while there is something in my head I am writing
UPD.
reply_body_max_size 1000 allow all file does not download more than 1 kilobyteCrosspost from my blog
')
Source: https://habr.com/ru/post/57085/
All Articles