Home

Squid-Based Traffic Control and Management System

Issue 134

From Issue #134
June 2005

Apr 28, 2005  By Tagir K. Bakirov and Vladimir G. Kozlov
 in
When Web traffic became a major use of the organization's network, this university put in a control system to track and limit access, using the open-source Squid caching system.

Listing 1. Fragments of the Functions clientWriteComplete() and clientReadRequest() from the src/client_side.c File 


static void
clientWriteComplete(int fd,
                    char *bufnotused,
                    size_t size,
                    int errflag,
                    void *data)
{
    clientHttpRequest *http = data;

...

    if (size > 0)
    {
	kb_incr(&statCounter.client_http.kbytes_out,
                size);
/*-Here comes the SB section----------------------*/
#ifdef SB_INCLUDE
    if (http->request->auth_user_request)
    {
	if ( authenticateUserRequestUsername(
                http->request->auth_user_request) )
	    if (!clientdbUpdate_sb(
      authenticateUserRequestUsername(
          http->request->auth_user_request),
          size) )
            {
		comm_close(fd);
		return;
	    }
    }
#endif
/*------------------------------------------------*/
	if (isTcpHit(http->log_type))
	    kb_incr(
      &statCounter.client_http.hit_kbytes_out,
      size);

    }

...

}

...

static void
clientReadRequest(int fd, void *data)
{
    ConnStateData *conn = data;
    int parser_return_code = 0;
    request_t *request = NULL;
    int size;
    void *p;
    method_t method;
    clientHttpRequest *http = NULL;
    clientHttpRequest **H = NULL;
    char *prefix = NULL;
    ErrorState *err = NULL;
    fde *F = &fd_table[fd];
    int len = conn->in.size - conn->in.offset - 1;

...

    /* Process request body if any */
    if (conn->in.offset > 0 &&
        conn->body.callback != NULL)
    {
	clientProcessBody(conn);
    }
    /* Process next request */
    while (conn->in.offset > 0 &&
           conn->body.size_left == 0)
    {
	int nrequests;
	size_t req_line_sz;

...

	/* Process request */
	http = parseHttpRequest(conn,
	    &method,
	    &parser_return_code,
	    &prefix,
	    &req_line_sz);
	if (!http)
	    safe_free(prefix);
	if (http) {

...

	    if (request->method == METHOD_CONNECT)
            {
		/* Stop reading requests... */
		commSetSelect(fd,
                              COMM_SELECT_READ,
                              NULL,
                              NULL,
                              0);
		clientAccessCheck(http);
/*-Here comes the SB section----------------------*/
#ifdef SB_INCLUDE
	        if(http->request->auth_user_request)
                {
		    if (
      authenticateUserRequestUsername(
          http->request->auth_user_request
      )!=NULL)
                    {
		        if(!clientdbCount_sb(
          authenticateUserRequestUsername(
              http->request->auth_user_request)))
                        {
			    comm_close(fd);
			    return;
			}
                    }
                }
#endif
/*------------------------------------------------*/
		break;
	    } else {
		clientAccessCheck(http);
/*-Here comes the SB section----------------------*/
#ifdef SB_INCLUDE
		if(http->request->auth_user_request)
                {
	    	    if (
      authenticateUserRequestUsername(
           http->request->auth_user_request
      )!=NULL)
                    {
			if(!clientdbCount_sb(
          authenticateUserRequestUsername(
              http->request->auth_user_request)))
                        {
			    comm_close(fd);
			    return;
			}
                    }
		}
#endif
/*------------------------------------------------*/

/* while offset > 0 && body.size_left == 0 */
		continue;
	    }
	} else if (parser_return_code == 0) {

...

/* while offset > 0 && conn->body.size_left == 0 */
    }

...

}

Thus, the mechanism is quite simple. Figure 2 shows the simple client request processing diagram from the point of view of our system. Each client request contains the user authentication information, including the user name. The function clientdbUpdate_sb() searches for the ClientInfo_sb record, which corresponds to the user name obtained from the request. In the case of the absence of such a record, it adds the new ClientInfo_sb record using the information from the authority files. If users exceed their limit, they are disconnected immediately with the function comm_close(). The call of the function clientdbEstablished_sb() is also used to control the number of client requests and to save current user information into the authority files every SB_MAX_COUNT requests. The authority files are called passwd and group analogously to the UNIX files. The passwd file contains the user information, and the group file contains the user group information. Here are the descriptive samples: 


`passwd':
#<name>:<full name>:<group id>:
#<current limit value>:<last limit update time>

tagir:Tagir Bakirov:1:6567561:12346237467

`group':
#<name>:<full name>:<group id>:
#<group limit value>:<group limit type>

users:BSPU users:1:10000000:D

Figure 2. Simple Client Request Processing Diagram

There are three types of limit: D (daily), W (weekly) and M (monthly). The passwd and group filenames and paths can be set in the Squid configuration file squid.conf. This was implemented by modifying the structure of the squid.conf template file and the structure of the Squid configuration structure.

Here are the other slight changes in the Squid source code:

  • Global functions definition in the file src/protos.h.

  • ClientInfo_sb structure type definition in the file src/typedefs.h.

  • ClientInfo_sb structure identifier declaration in the structure list in the file src/enums.h.

  • ClientInfo_sb structure initialization in the memory allocation procedure memInit() in the file src/mem.c.

All of these changes are made analogously to the code, maintaining the original client per-IP database. We hope everything was done right.

Looking through our modifications, you may have noticed that all the code is put into the conditional compilation blocks (#ifdef SB_INCLUDE ... #endif). The variable SB_INCLUDE is declared when the parameter --enable-sbclientdb is included into the command line of the Squid configure script. This was made by recompiling the configure.in script with autoconf after putting in some slight modifications.

______________________

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions