HI, I am trying to "debug" my configuration to get squid_session working. I am following a recent thread about this issue, but couldn't solve my problem yet. I read some old threads, but, if I didn't missed something, my config is like expected. I based my config lines in squid_session.8 man page. My main question is: will a directive like "http_access deny somehosts !session" work I explained here? Explanation (squid-2.7.STABLE6): ============================ excerpt from squid.conf: ---------------------------------- external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %LOGIN /usr/libexec/squid_session -t 3600 -b /squidlogs/var/session.db acl session external session http_access deny somehosts !session deny_info http://anotherhost/rules/?obs=001&url=%s session Lines are in this order. There is a "proxy_auth REQUIRED" before session ACLs. There is not any "allow" directive before "http_access deny somehosts !session", just denies. Each "deny" directive is associated with a "deny_info" directive. The location "http://anotherhost/rules/?obs=001&url=%s session" just shows a message (plain/html text) with a "click here" link (%s) and shows the value of $obs. "somehosts" refers to "acl somehosts src "/etc/squid/somehosts.txt", where somehosts.txt has a line such as 192.168.1.0/24 . Squid is asking for user/password. Everything is working as expected, except for squid_session. What I want/understood: ==================== -First time a user logs in (lets say is joebob) AND if it is coming from "somehosts", squid starts a session and redirects to indicated location (deny_info); -While session does not times out ( 1 hour = 3600s ), user will not get redirected. After the timeout period, user gets redirected again IF it is coming from somehosts. -If user joebob logs in from another hosts ( != somehosts ), a session is started (or updated) BUT it will not get redirected. If the session is not updated/created, in this situation, there is no problem, but it is important that user does __not__ get redirected, even if the session has timed out. -If joebob keeps using internet, so, at each hour (3600s aprox) it would be redirected again (sure, it keeps coming from somehosts). I joebob stop using internet and come back later and session has timed out and if it is coming from "somehosts", so, it gets redirected as I described. -As I am using "-b /squidlogs/var/session.db" I can shutdown/rotate/reconfigure squid and sessions will remain. -As I am using %LOGIN, my session keys are the login names (joebob, for example). What I observed: ============== -User gets a first redirect, but didn't get other redirects after that. I tested with joebob and, using the same source IP, I didn't get redirected for the rest of the day, even if I close my browser an logs in again or use another browser. I tested this coming from the same src IP I got redirected once. -I asked from other users to do the test, but they got just the first redirect too. -/squidlogs/var/session.db is populated when I use "-k reconfigure", so it is working. Using some perl code from internet, I could read session.db, but I just could read the first field (logins, such as joebob). The second field appears like "#çäI", but users in this file are the ones using "somehosts", so, I imagine that "... somehosts !session" ACL is working. That is it. Please, help me to find what I missed (or misunderstood). If someone can point me to man pages I missed, it would be great. I tried to understand squid_session.c, but I cant "speak" C language. :-) Thank you. Best regards, Cássio
