Re: [squid-users] Trouble with Session Handler

From: Cemil Browne <cemilb_at_gmail.com>
Date: Sat, 26 Jul 2014 09:09:01 +1000

Hi Amos,

Thanks so much for the prompt reply. I've got it working, but
please see inline below:

On 25 July 2014 21:30, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 25/07/2014 7:13 p.m., Cemil Browne wrote:
>> Hi all, I'm trying to set up a situation as follows: I have a web
>> server at [server]:80 . I've got squid installed on [server]:3000 .
>
> This is back to front.
>
> Squid should be the gateway listening on [server]:80, with the web
> server listening on a private IP of the machine, also port 80 if
> possible (ie localhost:80).

Agreed - for testing purposes at this point, final IPs/Ports TBD.
Thank you for the advice.
>
>
>> The requirement is to ensure that any request to web server protected
>> content (/FP/*) is redirected to a splash page (terms and conditions),
>> accepted, then allowed. I've got most of the way, but the last bit
>> doesn't work. This is on a private network.
>>
>> Squid config:
>>
>> http_port 3000 accel defaultsite=192.168.56.101
>> cache_peer 127.0.0.1 parent 80 0 no-query originserver
>>
>>
>> external_acl_type session ttl=3 concurrency=100 %SRC
>> /usr/lib/squid/ext_session_acl -a -T 60
>>
>> acl session_login external session LOGIN
>>
>> external_acl_type session_active_def ttl=3 concurrency=100 %SRC
>> /usr/lib/squid/ext_session_acl -a -T 60
>>
>
> Each of the above two external_acl_type definitions runs different
> helper instances. Since you have not defined a on-disk database that
> they share the session data will be stored in memory for whichever one
> is startign teh sessions, but inaccessible to teh one checking if
> session exists.

Interesting - I've changed this and it works, however, I was following
the instructions at:

http://wiki.squid-cache.org/ConfigExamples/Portal/Splash

Which has two different external_acl_type definitions - agreed that
the example at the wiki stores to disk, but I tried that as well.
Perhaps I stored to a file rather than a directory (/tmp/session.db)
and that's the issue?

>
>
>> acl session_is_active external session_active_def
>>
>
> What you should have is exactly *1* external_acl_type directive, used by
> two different acl directives.
>
> Like so:
> external_acl_type session ttl=3 concurrency=100 %SRC
> /usr/lib/squid/ext_session_acl -a -T 60
>
> acl session_login external session LOGIN
> acl session_is_active external session
>
>> acl accepted_url url_regex -i accepted.html.*
>> acl splash_url url_regex -i ^http://192.168.56.101:3000/splash.html$
>> acl protected url_regex FP.*
>
> Regex has implicit .* before and after every pattern unless an ^ or $
> anchor is specified. You do not have to write the .*

Thanks again - good to know.

>
> Also, according to your policy description that last pattern should be
> matching path prefix "/FP" not any URL containing "FP".
>
>>
>> http_access allow splash_url
>> http_access allow accepted_url session_login
>>
>> http_access deny protected !session_is_active
>>
>> deny_info http://192.168.56.101:3000/splash.html session_is_active
>
> It is best to use splash.html as static page deliverd in place of the
> access denied page:
> deny_info splash.html session_is_active
>
> then have the ToC accept button URL be the one which begins the session.
>
> So stitching the above changes into your squid.conf you should have this:
>
> http_port 192.168.56.101:80 accel defaultsite=192.168.56.101
> cache_peer 127.0.0.1 parent 80 0 no-query originserver
>
> external_acl_type session ttl=3 concurrency=100 %SRC
> /usr/lib/squid/ext_session_acl -a -T 60
>
> acl session_login external session LOGIN
> acl session_is_active external session
> deny_info /etc/squid/splash.html session_is_active
>
> acl accepted_url urlpath_regex -i accepted.html$
> acl splash_url url_regex -i ^http://192.168.56.101/splash.html$
> acl protected urlpath_regex ^/FP
>
> http_access allow splash_url
> http_access allow accepted_url session_login
> http_access deny protected !session_is_active
>
>
> Amos

Thanks again - I've made some minor tweaks to what you've put above
and this is now working. I really appreciate the help on this one -
got me over a serious hump!

Thanks,
Cemil
Received on Fri Jul 25 2014 - 23:09:08 MDT

This archive was generated by hypermail 2.2.0 : Sat Jul 26 2014 - 12:00:05 MDT