Slashdot Mirror
Metered HTTP Proxy?
Jon asks: "My brother-in-law has three teenage daughters. The only thing that he has to hold over their head is being online. I am trying to find him an HTTP proxy server that has metering built in. I started with Squid which has the authentication stuff in it but we would like something where we could allocate minutes, like some of the WiFi stuff you encounter at a hot spot."
Have you considered OpenBSD's Authpf? Here's the description and man page.
It runs on an OpenBSD firewall (which may be a pain for you; not sure what you've got installed already).
Anyway, what it does is it prevents packets from flowing UNLESS the user has authenticated to the firewall via an ssh session. From there, the packets are tagged as belonging to the user, and you can deal with a particular user's packets as you wish (prioritize, block, redirect, etc).
If you could apply standard login controls (amount of time, time of day, etc), then you can effectively limit access to the internet with the same granularity...
Enough other posters have said that the principle behind this is a bad idea, so instead of reiterating that, I'm going to comment on the technical method of metering HTTP usage.
First, if it's just time restrictions, you can probably use your router's features. My router's setup page lets me block access from an IP range to a port range between a time range; I've used this to block a spam daemon on my mom's computer from getting to port 25 [yes, this blocked normal e-mail], or to block myself from wasting time past 7PM.
Barring that, I'd suggest writing your own server, or getting someone to do so for you. An HTTP server and a client are not hard to write; I wrote them in about a week of classtime each (got bored in my programming class). Or you can simply put a Perl script together that uses standard modules. Once you have a client and a server, it's a simple matter to tie them together, totaling the number of bytes transferred into a variable/disk file.
On a completely unrelated and stupid-sounding idea: does Apache stop serving when it can't write to log files? If so, just make it log proxy requests to a floppy disk.
When I was growing up there were no arbitrary rules and no metering. I basically had 150 hours a month of internet. Did my parents try to get me off? Yes. How hard was it for them to actually get me off it without me seeing them as rivals against my wants, impossible. All the kind pleas we're easily countered with "Yeah, hold on." and "Oh, wait, lemme finish this." They held and it never finished. In the end I'd spend hours on end on the computer, sometimes so much that people couldn't call the house. If only my parents had resorted to something like that. I could have done all my truly useful internetting in metered time. Everything past the first couple hours was waste.
Quite simply, I'm sick of seeing so much of the temperance s*** going around. I feel all kinds of regret and spite because no one ever forced me to get off of my ass and do something towards my grades or my friends or some sort of hobby. I'm having to learn all of that stuff the hard way now that I'm in college and I see so many other people growing up just like me totally unprepared to stop f***ing around and get things done.
Direct away from face when opening.
http://www.softforyou.com/ip-index.html
http://www.akrontech.com/
So if OpenBSD is a firewall box, you control the incoming packets on the internal NIC--redirect all incoming port 80 to 3128: squid as transparent proxy. http://www.benzedrine.cx/transquid.html
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
1) transparent HTTP proxying. e.g. Use squid as the web proxy and delay pools. squid -k reconfigure reconfigures squid.
;). Of course this does clamp stuff a bit when sending mail or uploading files, I could tweak the rules a bit, but so far nobody's seems to mind (including me ;) ).
;). That said, since my ISP's router decides what to stuff down my internet connection to my firewall and my firewall only gets to decide what to pass to the rest, I can only control TCP traffic somewhat - by dropping packets inbound TCP connections will tend to use less bandwidth. This isn't as effective for high latency connections. Other connectionless traffic like typical UDP/ICMP packets will fill my pipe at whatever rate the ISP's router decides to send them.
2) Use bandwidth control on your firewall (My internet gateway runs FreeBSD, IPFW, pipe and queue, and I give small outbound packets priority over outbound large ones, AND limit the outbound large packets to a certain bandwidth so that externals downloading stuff from my machine don't affect MY downloads and other network stuff much - this is because many of the important outbound packets related to my Internet experience are small - e.g. DNS, TCP-ACKs, TCP-SYNs, quake UDP packets
For incoming traffic, I give my computer 4 x the weighting compared to other PCs
I also have transparent web proxying active on the gateway as per 1) - the caching helps when updating windows on the various machines at home. To do that I configure squid to cache files that are up to a few hundred MB in size. The LFUDA caching policy might be helpful.
In your father in-laws case you probably would have to clamp his bandwidth to say half or quarter of your total download bandwidth. It'll still affect the interactivity and other latency dependent stuff like online games (since you don't have control over the ISP's router), but his TCP downloads should end up about whatever you set. If he's using something like UDP for downloading then I'm not sure what you can do about it - it does depend on whether the app has something "TCP like" at higher layers - e.g. doesn't keep blasting at max rate if there's no acknowledgement - not sure if all P2P apps are well behaved if using UDP.