[squid-users] Question about: ext_session_acl Splash/Portal solution.

Amos Jeffries squid3 at treenet.co.nz
Mon Oct 16 14:59:28 UTC 2017 

On 16/10/17 07:17, Klaus Tachtler wrote:
> Hi Amos,
> 
> after a little bit more testing, of course I must agree with you, it 
> doesn't work as expected.
> 
> Please can you give me another advice? Where is my fault?
> 
> I tried to use the *ACTIVE* example from the squid documentation and 
> modified it a little bit on 3 parts of the code, BUT a LOOP are still 
> there!
> 
> https://wiki.squid-cache.org/ConfigExamples/Portal/Splash#Squid_Configuration_File_-_Active_Mode 
> 
> 
> --- code ---
> 
> # Set up the session helper in active mode. Mind the wrap - this is one 
> line: - *MODIFIED* - (all in one line)
> external_acl_type session concurrency=100 ttl=3 negative_ttl=0 
> children-max=1 %LOGIN /usr/lib64/squid/ext_session_acl -a -T 60 -b 
> /var/lib/squid/sessions/
> 
> # Pass the LOGIN command to the session helper with this ACL
> acl session_login external session LOGIN
> 
> # Normal session ACL as per simple example
> acl session_is_active external session
> 
> # ACL to match URL - *MODIFIED* -
> acl clicked_login_url url_regex -i http://my.pages.net/html/accept.php
> 
> # First check for the login URL. If present, login session
> http_access allow clicked_login_url session_login
> 
> # If we get here, URL not present, so renew session or deny request.
> http_access deny !session_is_active
> 
> # Deny page to display - *MODIFIED* - NOT using a template with 
> HTML-Code 511!
> deny_info http://my.pages.net/html/splash.php?url=%u session_is_active


Please double-check the cacheing related headers on both your custom 
URLs are set to make them non-cacheable. 302 is a weak substitute for 
511 semantics, and requires caching headers to clearly and explicitly 
prevent caching *and* to be followed by the client or the system can 
breaks badly (which is why 511 was created).


Which exact version of Squid are you using? some of the early v4 had 
issues with the format parameter changes which broke the active session 
mode for a while.


Also, be aware that since the helper API is *only* using %LOGIN if any 
visitor happens to send a request for the clicked_login_url without 
credentials attached they will make a logged-in session for anonymous 
access and the proxy becomes an 'open proxy' for any subsequent client 
requests from *anywhere* for 63 seconds. Things like that are why %SRC 
is usually used to make a session depend on things not as easily under 
client control - such as src-IP.


If those don't work I'm stuck as well. The wiki config examples are ones 
I used myself for many years before I moved to the sql_session helper.

Amos

More information about the squid-users mailing list