[squid-users] External ACL TTL not working as expected

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 30 22:25:55 UTC 2015


On 31/01/2015 9:15 a.m., Alberto Perez wrote:
> Hello to everyone,
> 
> First of all thanks for the support and for this awesome product.
> 

Welcome. Thank You for getting the use of authorization vs
authentication correct in your question :-) so nice not to have to start
with clarifying that.


> I'm developing a captive portal with squid 3.4.9 over ubuntu 14.04
> 
> Here is my external acl configuration
> 
> external_acl_type session_active_def ipv4  %SRC
> /etc/squid3/captive/sessionHelper.php  concurrency=100 children=1 -a
> -f ttl=1  negative_ttl=0 startup=2 idle=1
> 

<http://www.squid-cache.org/Doc/config/external_acl_type/>.


In particular you have the syntax for the helper wrong. The correct
syntax is:

 external_acl_type name [options] FORMAT /path/to/helper [helper arguments]

Note the difference between "options" and "helper arguments". Helper
arguments is part of the command line to be run.


So this is the correct config line for what you have above is:

 external_acl_type \
  session_active_def \
  concurrency=100 children-max=1 children-startup=1 \
    ipv4 ttl=1 negative_ttl=0 \
  \
  %SRC \
  /etc/squid3/captive/sessionHelper.php -a -f


I noticed the total number of children was smaller that the number
indicated to be run at startup. Squid would complain about that as it
auto-corrects to using startup=1.
Also, with startup >= children the idle parameter is unnecessary. There
is no amount of child helpers being started later based on load.


NP: There were a few nasty issues with the Zend engine limiting how long
a PHP script was allowed to run for. Even the dynamic restart feature
for Squid helpers was unable to solve that fully. You may want to
re-write the helper into another language for production use.



> acl password external session_active_def
> 
> deny_info https://proxy-bump.upr.edu.cu/?url=%u password
> 

Be careful with the use of HTTPS in sessions.

The initial CONNECT (even the fake-CONNECT Squid uses on intercepted
traffic) will need accounting for in your session management ACLs. You
dont want it to be kicking off another session login partway through the
first.



HTH
Amos


More information about the squid-users mailing list