online disconnect for authenticated user

I have linux box used as proxy server ,, i am using squid 2.5 with ntlm_auth ,, i am using squish script to deny users who exceed their traffic quota ,, this script see who exceed his quota and append his  username to a text file ,, every user exist in this file is denied ,,  but the following case is still has problem :
for example a user is downloading a file its size 900MB ,, and the quota is 100MB ,, the user will be denied after he finished his download and will not be disconnedted ,, but while he is downloading and after exceeds his quota he will be denied from opening any new page or make new download ,, i want to disconnect him directly after he reach his limit , can any one help
Who is Participating?
Gabriel OrozcoSolution ArchitectCommented:
yes, there is another option.

squid will not add to the downloaded bytes until it downloaded the content. so that is why that file goes thru.

however you can limit a transfer stream using iptables to be no more than 100mb as in your example:

 Setting transfer quotas with quota*
Setting transfer quotas can be very useful in many situations. As an example, a lot of broadband users will have download quotas set for them by their ISP and many may charge extra for every megabyte transferred in excess of this quota. You can use iptables to monitor your usage and cut you off when you reach your quota (say 2GB) with a rule similar to the following:

-A FORWARD -p tcp -m quota --quota 1025000 -j ACCEPT

You can then view your usage with the following command:
$ iptables -v -L

You would also need to reset the quota every month manually (by restarting iptables) or with a cron job. Clearly your computer would need to be 'always-on' for this example to be of any use, but there are also any other situations where the quota extension would be useful.
This has to do with how often squid checks the quota.

Once a connection is established the default rule would be to not check again untill the next connection attempt.

What you want is a mid-connection quota check based on some timeout rule or other known quantity.

However, based on my (brief) re-reading of the documentation of squid, and squidguard, I don't see where this is possible.

The closest thing I came to was a "connection timeout" that wouldnt allow a connection for more than a certain time.

This would actually work, have your users use "download managers".  Then limit the number of connections from each IP, then limit the duration of each connection, then the download manager would have to "resume" later when there was quota available.

Don't know if this is what you want, but it might work for you.

ahfarisAuthor Commented:
I think there is away to stop user untill renew his quota limit ,, any one has another opinion ?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.