[squid-users] External ACL TTL not working as expected

Alberto Perez alberto2perez at gmail.com
Sat Jan 31 04:14:09 UTC 2015


Amos,
You rock it,
Thanks a lot, now its working pretty well.

I was partialy aware of PHP limitation when used to build external
helpers any way I gave it not too much importance since was working
fine, I will rewrite code in python ASAP, I appreciate your
recommendations.

Please if is not too much to ask, I will like to ask you about another
issue I have not been able to make it work, im trying to skip access
logging of a subnet, in old versions of squid (3.1) I was using the
following configuration


acl ip_upredes src 10.2.100.0/24

log_access deny ip_upredes
log_access allow all


As of squid 3.4 log_access directive was no longer available I was
trying to change to

cache_access_log stdio:/var/log/squid3/access.log
cache_store_log stdio:/var/log/squid3/store.log
access_log none ip_upredes


Starting squid in debug mode shows this

2015/01/30 22:50:15| ACL not found: ip_upredes
FATAL: Bungled /etc/squid3/squid.conf line 98: access_log none ip_upredes

I am suspecting about a missing configuration option when I compiled
squid, so following are my compilation options

configure options:
'--sysconfdir=/etc/squid3'
'--mandir=/usr/share/man'
'--enable-inline'
'--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap'
'--enable-delay-pools'
'--enable-cache-digests'
'--enable-underscores'
'--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-url-rewrite-helpers=fake'
'--enable-eui'
'--enable-esi'
'--enable-icmp'
'--enable-zph-qos'
'--enable-ecap'
'--enable-ssl'
'--enable-ssl-crtd'
'--disable-translation'
'--with-swapdir=/var/spool/squid3'
'--with-logdir=/var/log/squid3'
'--with-pidfile=/var/run/squid3.pid'
'--with-filedescriptors=65536'
'--with-large-files'
'--with-default-user=proxy'


Again, thanks a lot for this great support, I read a lot of your
answers in this mailing list on the web and I can say you are making a
really GOOD job supporting this community and project.

Thanks, thanks, thanks

Alberto



On 1/30/15, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 31/01/2015 9:15 a.m., Alberto Perez wrote:
>> Hello to everyone,
>>
>> First of all thanks for the support and for this awesome product.
>>
>
> Welcome. Thank You for getting the use of authorization vs
> authentication correct in your question :-) so nice not to have to start
> with clarifying that.
>
>
>> I'm developing a captive portal with squid 3.4.9 over ubuntu 14.04
>>
>> Here is my external acl configuration
>>
>> external_acl_type session_active_def ipv4  %SRC
>> /etc/squid3/captive/sessionHelper.php  concurrency=100 children=1 -a
>> -f ttl=1  negative_ttl=0 startup=2 idle=1
>>
>
> <http://www.squid-cache.org/Doc/config/external_acl_type/>.
>
>
> In particular you have the syntax for the helper wrong. The correct
> syntax is:
>
>  external_acl_type name [options] FORMAT /path/to/helper [helper arguments]
>
> Note the difference between "options" and "helper arguments". Helper
> arguments is part of the command line to be run.
>
>
> So this is the correct config line for what you have above is:
>
>  external_acl_type \
>   session_active_def \
>   concurrency=100 children-max=1 children-startup=1 \
>     ipv4 ttl=1 negative_ttl=0 \
>   \
>   %SRC \
>   /etc/squid3/captive/sessionHelper.php -a -f
>
>
> I noticed the total number of children was smaller that the number
> indicated to be run at startup. Squid would complain about that as it
> auto-corrects to using startup=1.
> Also, with startup >= children the idle parameter is unnecessary. There
> is no amount of child helpers being started later based on load.
>
>
> NP: There were a few nasty issues with the Zend engine limiting how long
> a PHP script was allowed to run for. Even the dynamic restart feature
> for Squid helpers was unable to solve that fully. You may want to
> re-write the helper into another language for production use.
>
>
>
>> acl password external session_active_def
>>
>> deny_info https://proxy-bump.upr.edu.cu/?url=%u password
>>
>
> Be careful with the use of HTTPS in sessions.
>
> The initial CONNECT (even the fake-CONNECT Squid uses on intercepted
> traffic) will need accounting for in your session management ACLs. You
> dont want it to be kicking off another session login partway through the
> first.
>
>
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>


More information about the squid-users mailing list