<html><head></head><body><div class="ydp802d3e98yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
        <div>Thanks Amos!<br></div><div>Comments inline</div><div><br></div>
        
        </div><div id="ydp25779dc1yahoo_quoted_2193787580" class="ydp25779dc1yahoo_quoted">
            <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
                
                <div>
                    On Monday, June 24, 2019, 9:06:41 a.m. EDT, Amos Jeffries <squid3@treenet.co.nz> wrote:
                </div>
                <div><br></div>
                <div><br></div>
                <div><div dir="ltr">On 24/06/19 5:04 am, <a shape="rect" href="mailto:julien412@yahoo.fr" rel="nofollow" target="_blank">julien412@yahoo.fr</a> wrote:<br clear="none">> Hello,<br clear="none">> <br clear="none">> I'm trying to use Squid with Splash page and followed<br clear="none">> <a shape="rect" href="https://wiki.squid-cache.org/ConfigExamples/Portal/Splash " rel="nofollow" target="_blank">https://wiki.squid-cache.org/ConfigExamples/Portal/Splash </a>but I've got<br clear="none">> an issue with a redirection loop.<br clear="none">> Connecting to any web site redirects to splash page but splash page is<br clear="none">> redirected to itself in infinite loop until squid breaks it.<br clear="none">> <br clear="none">> This happens on Centos7/Squid 3.5.20, Ubuntu bionic/3.5.27 or 4.4 source<br clear="none">> build.<br clear="none">> <br clear="none">> Installed with ansible role with travis testing failing on redirection<br clear="none">> <a shape="rect" href="https://travis-ci.org/juju4/ansible-squid/jobs/549377518" rel="nofollow" target="_blank">https://travis-ci.org/juju4/ansible-squid/jobs/549377518</a><br clear="none">> <br clear="none">> This part should not happen<br clear="none">>               +< HTTP/1.1 302 Found<br clear="none">>               +< Server: squid/3.5.27<br clear="none">>               +< Mime-Version: 1.0<br clear="none">>               +< Date: Sun, 23 Jun 2019 15:04:22 GMT<br clear="none">>               +< Content-Type: text/html;charset=utf-8<br clear="none">>               +< Content-Length: 0<br clear="none">>               +< Location:<br clear="none">> <a shape="rect" href="http://localhost/splash.php?url=http%3A%2F%2Flocalhost%2Fsplash.php%3Furl%3Dhttp%253A%252F%252Fwww.google.com%252F" rel="nofollow" target="_blank">http://localhost/splash.php?url=http%3A%2F%2Flocalhost%2Fsplash.php%3Furl%3Dhttp%253A%252F%252Fwww.google.com%252F</a><br clear="none">>               +< X-Squid-Error: 403 Access Denied<br clear="none">>               +< X-Cache: MISS from default-splash-ubuntu-1804-1561301803<br clear="none">>               +< X-Cache-Lookup: NONE from<br clear="none">> default-splash-ubuntu-1804-1561301803:3128<br clear="none">>               +< Connection: keep-alive<br clear="none">> <br clear="none">> Config extract<br clear="none">>       external_acl_type splash_page ttl=60 concurrency=100 %SRC<br clear="none">> /usr/lib/squid/ext_session_acl -t 7200 -b /var/lib/squid/session.db<br clear="none">>        acl existing_users external splash_page<br clear="none">>        deny_info <a shape="rect" href="http://localhost/splash.php?url=%s " rel="nofollow" target="_blank">http://localhost/splash.php?url=%s </a>existing_users      <br clear="none">>        http_access deny !existing_users<br clear="none">> <br clear="none">> Any advices?<br clear="none"><br clear="none"><br clear="none">Couple of things:<br clear="none"><br clear="none">* this is a localhost URL. The client is expected to contact *its*<br clear="none">localhost, not use the proxy for the followup request. But that is not<br clear="none">related to the loop here.<br clear="none"><div><br></div><div>[J] Agreed. this line is commented to allow testing from localhost with splash page:<span> `http_access allow localhost`</span><br></div><br clear="none">* you need to check access.log to see whether the client src-IP is<br clear="none"><div>changing between requests. If it does that is the cause of the loop.</div><div><br></div><div>[J] It does not. I tested on private environment with different systems and src-IP stays the same as expected.<br></div><br clear="none"> - the test is broken: it configures Squid to send data to<br clear="none">access_custom.log *instead* of access.log, then tries to use the empty<br clear="none"><div>access.log as the test log output.</div><div><br></div><div>[J] I don't see any test on access.log. travis after_script includes access.log for convenience and missing access_custom.log which is the one relevant here. no serverspec tests<br></div><br clear="none"><br clear="none">* please add "-d" to the session helper command line options. That<br clear="none">should show what the helper is doing to declare "no session" when the<br clear="none">client feeds back the splash URL to the proxy.<br clear="none"><div><br></div><div>[J] tried both line below but does not seem to work</div><div>`<span>external_acl_type splash_page ttl=60 concurrency=100 %SRC /usr/lib/squid/ext_session_acl -t 7200 -b /var/lib/squid/session.db -d`</span></div><div><span><span>`<span>external_acl_type splash_page ttl=60 concurrency=100 %SRC 
/usr/lib/squid/ext_session_acl -d -t 7200 -b /var/lib/squid/session.db`</span></span></span></div><div>=> from cache.log<br></div><div><div>2019/06/24 14:03:01 kid1| helperOpenServers: Starting 1/5 'ext_session_acl' processes<br>(ext_session_acl): invalid option -- 'd'<br>Usage: (ext_session_acl) [-t|-T session_timeout] [-b dbpath] [-a]<br>        -t sessiontimeout       Idle timeout after which sessions will be forgotten (user activity will reset)<br>        -T sessiontimeout       Fixed timeout after which sessions will be forgotten (regardless of user activity)<br>        -b dbpath               Path where persistent session database will be kept<br>        -a                      Active mode requiring LOGIN argument to start a session</div><br></div><div><br clear="none"></div><br clear="none">PS. If I am reading the PR which is being tested - it looks like it<br clear="none">changes the check from one which checks;<br clear="none"> - the Location URL being redirected to the splash page => OK<br clear="none"> - the Location URL looping => BAD<br clear="none"> - all non-splash URLs => BAD<div class="ydp25779dc1yqt8265623546" id="ydp25779dc1yqtfd21229"><br clear="none">to;</div><br clear="none"> - the Location has *any* URL which includes the splash page => OK<br clear="none">   (corollary: - the Location URL looping => OK !!)<br clear="none"> - all non-splash URLs => BAD<br clear="none"><br clear="none">Squid is only failing this test because v3.5 eventually rejects one of<br clear="none">the 8KB+ long URLs generated by the loop.<br clear="none"><br clear="none"><br clear="none">There are problems with the underlying helper tests too:<br clear="none"><br clear="none">   describe command('echo 10.0.0.1 concurrency=100 | ...<br clear="none"><br clear="none">==>  "10.0.0.1" is an invalid concurrency channel number. Channel IDs<br clear="none">are integer values in current helpers. If your squid.conf contains<br clear="none">"concurrency=100" the channel-ID delivered to the helper will be an<br clear="none">integer between 0 and 99 (inclusive).<br clear="none"><br clear="none">==>  "concurrency=100" is the name of the session you just asked the<br clear="none">helper to create.<br clear="none"><br clear="none">==> combined the above problems mean your helper test is not testing the<br clear="none">same type of sessions as your other tests are trying to use.<br clear="none"><br clear="none">Luckily the session helper does not actually care what the session name<br clear="none">values are, they are just opaque strings - hashed and stored for "-t N"<br clear="none">seconds. So this still tests that the helper works, just not in the way<br clear="none"><div>apparently intended.</div><div><br></div><div>[J] so, should be just an integer like that?<br></div><div>   describe command('echo 42 concurrency=100 | ...<br clear="none"></div><div>[J] concurrency was just to avoid this</div><div><div># echo 10 | /usr/lib/squid/ext_session_acl -t 7200 -b /var/lib/squid/session.db<br><div>FATAL: /usr/lib/squid/ext_session_acl is concurrent and requires the concurrency option to be specified.</div><div>[J] so the right test would be? both seems to work.<br></div></div><div><span>   describe command('echo 42 test concurrency=100 | ...</span></div><div><span>or<br></span></div><div><span><span><span>   describe command('echo 42 test | ...</span></span><br></span></div></div><br clear="none">Amos<br clear="none">_______________________________________________<br clear="none">squid-users mailing list<br clear="none"><a shape="rect" href="mailto:squid-users@lists.squid-cache.org" rel="nofollow" target="_blank">squid-users@lists.squid-cache.org</a><br clear="none"><a shape="rect" href="http://lists.squid-cache.org/listinfo/squid-users" rel="nofollow" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><div class="ydp25779dc1yqt8265623546" id="ydp25779dc1yqtfd33234"><br clear="none"></div></div></div>
            </div>
        </div></body></html>