Those of us who manage (or have managed) servers in a company know that the first enemy of productivity is Facebook y YouTube. These sites make that employees who are paid to be productive, to work, most of the time have these sites open to entertain themselves, watch videos, chat with a friend, etc.
It doesn't matter if it already exists WhatsAppIt doesn't matter if they have an Android smartphone and use WhatsApp to communicate with their friends, they just keep using Facebook chat and writing on the wall of their acquaintances.
The immediate solution? … Simple, it would be to completely block access to Facebook and YouTube on the proxy server, so they don't waste time and bandwidth accessing these sites. The problem with completely blocking access is the complaints, the penetrating and murderous glances from the employees towards us, the network administrator 😀
A better solution? … Well, this is where Squid's Delay Pools come in:
Delay pools is Squid's answer to bandwidth control and traffic shaping. This is done by limiting the rate the Squid returns data from its cache.
In other words, through Delay Pools I can specify that certain users will browse slower than the rest, or that access to certain sites will be slower. Come on, organize and manage the available bandwidth, so that it is not wasted.
Therefore, the solution that I found to the problem already raised is the following:
- I allow access to these 'problem' sites
- I advise users to use other means to communicate with their acquaintances, I even say «uses Telegram o WhatsAppEven look, here you can download the WhatsApp application for Android or iOS, or for Nokia if you still have one of these.«
- In the proxy server I implement a Delay Pools to make access to Facebook and YouTube slow, in this way not much bandwidth is consumed (which is needed for other tasks) and the user to see that the navigation through these sites is very, very slow, eventually give up.
Preconditions
We must have installed, configured, fully functional a proxy server with Squid.
Squid must have support for Delay Pools, which means if you compiled Squid yourself, you should have considered compiling it with Delay Pools support. If not and they installed it through the repositories, everything will be fine.
Creating the conditions for the Delay Pools
The first thing will be to create a file in which the IPs of the PCs that will access Facebook slower will go, because they are the ones that use these sites the most to fool around and are not exactly productive:
touch /etc/squid/ips-lentas
Then we edit the file with nano or add with echo the IPs one by one, for example 10.10.0.67 belongs to the secretary, who spends hours 'investing' time in the horoscope and games on Facebook:
echo "10.10.0.67" >> /etc/squid/ips-lentas
Now, we must edit the squid.conf file (located in / etc / squid /) to add the Delay Pools rules:
nano /etc/squid/squid.conf
In it we add this:
acl slowusers src "/ etc / squid / slow-ips" #SLOW YOUTUBE, FACEBOOK delay_pools 1 delay_class 1 1 delay_parameters 1 1000/100 slow acl url_regex \ .flv $ slow acl url_regex \ .mp4 $ slow acl url_regex -i watch? slow acl url_regex -i youtube slow acl url_regex -i facebook delay_access 1 allow slow slow users
What do means this?
Simple:
- We first create a new rule called slow users whose content or list will be what it contains / etc / squid / ips-slow
- Then we set the bandwidth for the Delay Pools, which will be 1 ... that is, as slow as possible, slow to death 🙂
- Next we are creating a rule called slow and its content will be all the URLs that contain a file .flv, .mp4, watch, youtube o Facebook … In this way we cover all of YouTube and Facebook.
- Finally we specify that slow users (first ACL or rule created) as long as they access the sites slow (2nd ACL created) their speed will be 1kbps, that is, very little bandwidth for them on those sites.
In case they have a Squid whitelist, they will need to add the following to squid.conf:
http_access allow usuarioslentos
This is assuming that they have their access given by IPs, if they have it implemented by authentication (user & password, LDAP, etc.) the same, it is a matter of putting the users in ips-slow instead of IPs
The end!
This post is obviously aimed at low bandwidth network administrators, or those who really want or need people to be productive. I know that many users will want to kill me because they do not want their universities or work centers to do this to them with these sites.
I hope it has been interesting to several, the potential of the Delay Pools and Squid is really extraordinary
regards
How vijilante you are brother ... let people navigate freely through cyberspace ...
It's not about being a "villain" or not, many times the choice to block or slow Facebook and YouTube is made by the Boss, not us.
that does not take away the cobani.
I have to say that I lean on the Gaarita article, mine is something like this:
delay_pools 4
delay_class 1 1
delay_class 2 1
delay_class 3 1
delay_class 4 1
#delay_parameters 1 262144/262144
#delay_parameters 2 524288/524288
delay_parameters 1 524288/524288
delay_parameters 2 262144/262144
delay_parameters 3 28672/28672
delay_parameters 4 8448/8448
delay_access 1 allow National
delay_access 4 allow GroupsStudents
delay_access 1 allow PunishedSites! GroupsDirectors! GroupsDevelopment! GroupsInternet
delay_access 3 allow Exts Denied! National
delay_access 3 allow PunishedUsers! National
delay_access 2 allow NetLocalLan! National! GroupsDirectors! GroupsEstudiantes! PunishedSites! ExtsDenied! PunishedUsers
the good thing is that KZKG ^ Gaara doesn't block sites like http://buscon.rae.es/drae/srv/search?id=D7FntVIRHDXX2ZAwyBNN ....
I think the reasons for the post are more than clear, I would like to see if you say the same thing, being you the one who puts the money for the internet connection and the one who pays the employees
"The problem with completely blocking access is the complaints, the penetrating and murderous glances from the employees towards us, the network administrator: D"
lol
While Facebook can be considered a means of communication (including internal), with YouTube the policy should always be total blocking, since it does not offer any help that cannot be obtained elsewhere, only entertainment, so the company's resources should not be available for that.
At least in my country internet service is not cheap at all and no matter how much bandwidth you have, you can hardly compete against 20 - 50 teams watching videos at 720p or more.
I would not want to be in a company where the network admin is KZKG ^ Gaara D: he is malevolent he has to know what more tricks he will have up his sleeve xD hahahahaha, instead of being mean and blocking access, he is cynical and ruthless D: he likes it watch their prey die slowly and painfully D: hahahaha
Seriously speaking, I liked the post 😀 (my knowledge of servers is in its infancy but I'm sure that at some point this will help me xD)
haha believe me, having me as admin in the node is very bad if you are the type of user who wastes time and bandwidth 😀 ... I'm worse than a bulldog HAHAHA
Thanks for your comments 🙂
At least in my company they are a little more generous, here they give you a quota time of 10 minutes of navigation for that type of XD sites.
What a fucking tutorial ...
That does not work at all, to start the videos themselves are not served from the url that one sees in the address bar, but from different domains (see the source of a video on youtube)
Although it is almost always something like: ytimg.com
And adding to all that, now YouTube goes over https, so it is NOT cacheable and it doesn't even go through squid control.
How friendly are the Argentines, right? 🙂
I know perfectly well that the videos are not shown as a DD link in the URL, that's why in the first lines I see the .flv $ and .mp4 $
Regarding HTTPS or HTTP, YouTube will be slow either if it is HTTPS or HTTP, because the following was set:
slow acl url_regex -i youtube
I think it is self explanatory.
Let me ask something, are you a serious system administrator or are you just coming here to bother? 🙂
I'm asking because you have stated that the tutorial is crap, that it is useless, when in reality it is you who has not known how to interpret a few simple lines of code, I even explained them below.
Hmn, don't put everyone in the same bag….
do not take into account that crazy Argentinian to criticize, you have to substantiate it is the minimum, you can see that he has no idea what that word means except an xDD code
Wow ...
I think I have interpreted quite well and just to get rid of the doubt I have tried it (and of course it does not work) ...
That "1000/100" is not only badly placed, according to the official documentation that you can read here:
http://www.squid-cache.org/Doc/config/delay_parameters/
That 1000/100 means host / network therefore a host can NEVER have MORE than the total of the network.
regards
Mstaaravin:
Even if my partner may be wrong, that does not mean that you have to come here to say that the post is bullshit. What's more, you could have corrected the mistake with all due respect. Now, back to the topic, in my experience (I've also been a network administrator) the 1000/100 is not bad at all.
What 1000/100 does is that when the user reaches to consume 1000, it fills the bucket or bucket and automatically limits its connection to 100. This allows the user to quickly access a first request.
Therefore, it is not unusual to use it both ways, it could even be 1000/1000, but what if it should not be is 100/1000, it would not make any sense.
And I may also be wrong to tell you this, but it is a sign that I am a human being and that therefore I would have to learn something else in this life.
If someone crosses out an article as "shit", I already just move on from that person and keep explaining.
Sorry KZKG ^ Gaara, luckily Argentines are not all like this character, in fact quite the opposite, it happens that people like him are everywhere. And unfortunately a stupid thing is more in the memory than 1000 good things.
Am I not kind .. -.-
Let's relax, we are all human here and we can make mistakes ... ... anyway there are better ways to say things ...
raw are you Argentinian: O? one day we have to get together all the Argentine DL boys in some flisol xD hahaha
I'm sorry, it was my mistake, that is, I was not trying to generalize ... according to your comment it is what it seems, but I know that not all Argentines are like that, Pablo (let's use Linux) is just an example 🙂
Nah, fuck it, I'm not Argentine by birth but by descent, and shit, it's a stereotype son of a bitch that everyone is like that, my cousins and my family (although if they are several asshole fans of River xD) they are great.
Other than that, so much talk about a third-rate firecracker? Pff, I've seen worse than him, in fact, I dealt with Courage more than all of you, and he listened to me JAH! xD
@nano: worse if they were bosteros !!!!
Ubuntu namesake LOL xD
«How nice the Argentines are, right? :) »
Tell me, I suffer them every day since I was born xD
The worst thing is that we were not always this shitty country, in fact, at some point we were a country of cultured people, doca, educated ... but hey, in the 40s demagoguery and populism won the presidency in the form of a military man who imposed himself the rank of General and indoctrinated his entourage to shout louder when they were not right.
That was the beginning of the pedantic, authoritarian and arrogant Argentina, of its mafia unionism, of its political, moral and social corruption.
In fact, the subject is as serious as the famous phrase of George Orwell:
"In a time of universal deceit - telling the truth is a revolutionary act."
This was the Argentina that we lost and that this skinny guy recently discovered:
Why Argentina? - Explained By A Yankee
https://www.youtube.com/watch?v=DzYguA1r5cc
A Yankee Teaching Pronunciation To Another Yankee
https://www.youtube.com/watch?v=EZeHU9XVGe0
Regards!
jojojo that macabre I like xDD so they will have more productive and less distracted employees xDD
excellent post that if it is nice to read it although I would be more interested in how to skip these types of restrictions hahaha is that right at work I am under a youtube delay pool and everything that is streaming
To bypass these types of restrictions you could use a VPN, a WebProxy that works over HTTPS and in the URL do not put anything related to the sites you visit.
Very interesting companion, but for everything there is a solution. In my work the network administrator also tries in many ways to prevent access to certain sites. But google always helps us.
Thank you very much for the information !!!!
GREETINGS !!
Haha, with this you get the opposite, that to see a video of 1 minute after 10, super productive! It is better to cut it in the bud.
And when the video is more than 30 minutes? 😀
Interesting topic, I would use it to limit bandwidth to Internet browsing and thus give more bandwidth to more critical applications such as mail, VPN, or applications that run in the cloud.
Limiting users must always be accompanied by policies, support from senior management and proper induction of the employee from the moment he is hired in hr on the correct use of network resources.
I don't think YouTube is a complete waste of time, in a company where I was, YouTube was used as a training tool, since there are many tutorials on repair of industrial equipment, etc. Now the problem is if it is left completely open, that is why I say that the employee must know from the moment he is hired what he will have access to or not, and network administrators, based on this indication, must apply the appropriate restrictions for said profile .
At last, what I have been needing for a long time ... Let's see if I can implement it correctly, I can't wait to see the faces of the "addicts" who fool around all day and have the "narrow band" almost collapsed ...
Excellent article and very helpful for those of us who have the misfortune of living in the key ...
Very good article !!!. Read, Downloaded and Saved.
We should force that people do not enter the blogs when they work XD, since here everyone says that they are using windows because they are at work, therefore it means that they are being lazy at work XD
hahahahahahahaha +10000000000000000000
: Or that is what more or less applies in the plans of my cell phone company 😛 slow you down, excellent thanks for the info 😀
Question, seeing in wikipedia Squid is a proxy software, I would like to know what would be the difference between Squid and Endian Firewall if I wanted to block web pages? Which one would you recommend?
"These sites make employees who are paid to be productive, to work, most of the time have these sites open to entertain themselves, watch videos, chat with a friend, etc."
COOOMOO !! Aren't they paid for wasting time on irrelevant things !? Look! I thought its function was to relocate FB every 5 seconds! Anywhere I go and there are employees using a machine, everyone is FBeando ...
"The problem with completely blocking access is the complaints, the penetrating and murderous glances from the employees towards us, the network administrator: D"
Hahahaha, how I laughed at this, absolutely true !!!
The problem is that - unfortunately - there are so many misplaced people that finally end up subverting the order of things so that you become the villain and they the victims when, if they did not abuse the facilities they have - for example access to FB, YT, etc. - it would not be necessary to impose rules of this kind on them. But of course, you are the hdp, the dirty man, the Nazi who "imposes restrictions on the freedom of navigation of the poor users", hehe.
"Slow to death :)"
Hahahaha, fuck yeah! xD
EXCELLENT POST NENE, KEEP IT UP!
haha thanks 🙂
A pleasure, I repeat ... a pleasure to read you here again. Of course friend, I sent the other comment to the trash, I think it is a bit risque hahahaha, there are times when you cannot say "aaa" to someone, even if that someone seems to be an "aaa"
It seems perfect to me since it was actually for you. The next I will answer you through MP in the forum.
Thanks for keeping this space clean!
Hello, thank you for sharing your experience and knowledge of the subject. I have a 3Mb connection, and around 100 devices (70% cell phones and 30% laptops), cell phones are almost always connected, I would like to use some delay pools to have a better network performance as far as possible, I was thinking in 4 pools as follows: # 1 for managers / IT (without site or speed restrictions) # 2 for registered users (with site and speed restriction). # 3 guests (restriction of sites and even lower speed). # 4 advertising / banners (lowest speed). I have a dhcp-squid-dansguardian, have static ip's been assigned to the identified users (managers, registered users) and have I left a range of ip's for the guests, any suggestions and / or comments to implement this improvement?
Excellent post. Whenever I talk about this type of situation, I go to the laying hen farms that normally do not appear in the advertisements of the large distributors of food products (they would lose their fame). Focusing on the subject, each hen accesses from its cage to a feed container that contains the exact amount of food that it must "swallow" (industries do not usually waste) in proportion to the calories that the animal consumes moving (how little it can) in the space where his life passes. 1- The animal cannot die of starvation, 2- The amount of food must nourish the animal enough to carry out its purpose efficiently, 3- The kilo of feed has its value and appears in the accounts of Company "X" . Conclusion: The employee / cattle are not paid to take walks (mentally idle) in the office / farm. The network administrator must calculate exactly how many bytes the office installations will gobble up.
I think your article is very good, I am a newbie in linux, that I must modify so that the loading of youtube is not too slow. thanks
very good really served me well, and I'm using it although I have complaints that the Internet is very slow but if I tell you which pages are there when they don't respond to me respon
hello, where should be placed in the squid configuration file what you mention or is it indistinct where it is placed?
Dear I have tried your lines within my squid to "close the key" to youtube and facebook.
The issue is that even so I have included "acl xxxx url_regex -i youtube" and "acl xxxx url_regex -i facebook" when looking at the traffic I don't see anything happening ...
It will be very silly what I am asking but I do not see evidence that the acl works.
I poll the facebook and youtube and they work flawlessly being that the download rate drops to die ...
THANKS !!!
Try adding this:
googlevideo.com
akamaihd
fbcdn
youtu.be
Hello everyone, especially to the creator of the post, I know that it is more than a year ago and perhaps that is why it does not work, in short, the problem is that when I try to slow YouTube it does not give me 5 ball, according I was finding out with colleagues that they are much more advanced than me in the linux environment they told me that with squid it is almost impossible to monitor https because even the url of the page is encrypted, and that is why YouTube passes through a pipe, I manage the network of a university and non-teaching staff live on YouTube listening to music, imagine how the bandwidth falls on the network, I wanted to know if someone could make it work recently or if they know of some effective method to do it in a transparent way, thank you, a greeting.
Good morning, I just read your post and I find it interesting you are a network administrator and I need guidance on how to block youtbe and facebook websites and this seems to me the best way. My question is Delay Pools, should I install it or it is already installed with squid3, how do I verify this ??? First of all, Thanks
Hello, the delay pool is active since version 2.6, I am now using 3.2 and if the delay options come. To the author of the post, thank you very much for helping us network administrators. I work at a university and it is a headache to receive calls from all users saying that the internet is slow. What I don't know if it can be done later is to create a list of ips that can have access to YouTube or social networks with a higher browsing speed.
Hi,
Let's say that you have any internal network 192.168.XY / 24 and do you want that the internet goes slow for everyone that wants to access porn sites. How can we accommodate delay pools and specify all porn sites manually.
Thanks
Pablo
Another question I have is that I wanted to know if you have used the squidguard to block this type of page. I have killed myself searching the net and I have read comments that the squidguard does not see https traffic so it is impossible for me to block these accesses. This already limits me a lot but there are users who should not have youtube / facebook for the world. Thanks in advance for giving us network administrators tips to improve our network 🙂
In truth I cannot say more than I am greatly impressed with the discussions presented here about an excellent post, very useful for us. My experience as a network administrator, here is the following, before due to national restrictions, free access to social networks was not allowed, such as face, youtube, and other sites such as gmail, hotmail, etc. But the question is that I have a simple bandwidth of 2mb and a quota of 1gb per day, for an entire health research and teaching institution, imagine how to distribute, so little, with many people adding a navigation room, with Clients light, which the bandwidth in itself does not reach the full 2mb, of that we are clear. Well what happens when opening, the possibility of accessing my users spend the damn day in FB, YT, Gmail, hotmail, tec, even trying to download thousands of things and how is it logical creating chaos in the bandwidth that's why I believe just what I publish in this post with the delay pool, now brother, I know that you are conservative, and as everyone says we are the bad guys of the movie, the hitler, but give him a help that they only navigate with good speed at the time lunch, and you will see how funny everything will be, or they go FB, etc or eat. hahahahaha I think they will eat. So I implemented it here and believe me, I was more assassin, I set them to 8kb / s. and holy remedy.
So far my comment, my greetings and respects from Cuba Erly.
Thanks for your blog, I've been looking for a while how to do this to achieve this goal, I'm very grateful to you, let's use linux….
Hello,
The post is well thought out and the issue of pools is somewhat interesting, but unfortunately the issue of HTTPs is somewhat complicated and squid doesn't handle it well at all. This is because in terms of traffic when a site is requested with HTTPs, the squid opens a CONNECT and has no references to it until it is closed. For this reason, the pools do not work on these types of encrypted connections.
We are testing a variant that seems to work, which is using two proxy + pools + cache_peers.
The idea is to pass to a second proxy all the sites that we want to slow down and to that second proxy to define a general pool for all the traffic that passes through it.
regards
Thanks crazy, I have not taken it from copy paste, but it has helped me a lot to adapt it to my configurations. It has worked perfectly for me. Cheers!
A question friend, the directory / etc / squid / does not exist, is it created at the time of squid configuration or should it be there? Regards.
My well explained I hope you revices the comments, when I restart the squid I get an error in the line where the line is implemented: acl slow users src ...
I do not know what could be, my server has enabled the login not by IP or MAC.
regards