Search squid archive

Re: AUP page squid_session and banner page

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 30 Mar 2010 15:08:13 -0500, "Johnson, S"
<sjohnson@xxxxxxxxxxxxxxx>
wrote:
> Squid 3.1.0.17
> 

3.1.1 is production released now :)

3.1.0.17 has some major IP-related issues which are now fixed.

> Ok, I'm able to get some of this working right...  Although it's not
> quite what I expected for results.  My config is below...
> 
> First, I think since I have myserver in the acl then the AUP page
> doesn't display if the user has their home page set to
> "http://www.myserver.com";.  
> 
> Secondly, when one computer gets the AUP subsequent computers will not
> be prompted with the AUP.  The first computer to attempt to get to the
> internet gets the AUP all the others do not.  Of course, resetting squid
> frees up the cache and then the first user after the restart will be
> prompted.  My assumption in reading is that the %SRC is supposed to key
> the session identifier for the IP address of the requesting user.

IMO this is caused by the DG being present. The fix below should resolve
this problem as well as logging.

> 
> I did notice the following in my logs and I wonder if this could be my
> issue:
> 
> 30/Mar/2010,14:56:08,
> 220,127.0.0.1,TCP_MISS/200,3150,GET,http://www.google.com/firefox?,-,DIR
> ECT/208.69.36.231,text/html
> 
>  Shouldn't my workstation show as the true IP address and not localhost
> (127.0.0.1)?  I am running dansguardian on this server but that should
> be taking place after my connection.  It would make sense that the first
> workstation authenticating with 127.0.0.1 would authorize in this
> case...  If this is what my problem is, why is localhost showing instead
> of the real IP address?  The dansguardian log does show the correct IP
> address...  Oh wait... I'm connecting to 8080 which is dansguardian
> which forwards to squid @ 3128... oh my...  How am I going to fix this?

Squid by default uses the IP of the software connecting to it. In your
case its DG making the connection not the client browser.

You need to make DG add the x-forwarded-for header with the real client IP
inside ...

Then for Squid-3.1.* you need only add this to squid.conf to trust the DG
given header:
  follow_x_forwarded_for allow localhost
  follow_x_forwarded_for deny all

Squid-3.1 will then use the IP which DG reports as connecting to it.

NP: for others reading this, older 3.0 and 2.x series need other
squid.conf options to be turned on.


> 
> The docs for squid_session (http://linuxreviews.org/man/squid_session/)
> State:  "http://your.server/bannerpage to display a session startup page
> and then redirect the user back to the requested URL given in the url
> query parameter." 
> 
> I can't seem to figure out what to do on the AUP html page.  Is there
> anything additional I need to do or just forward the user on?
> 
> (I've played around with the negative_ttl a bit; if I set it to say 300,
> then I cannot progress pass the AUP.)
> 
>  
> 
> acl to_localbox dst 192.168.80.5/32
> 
> acl myserver dst 64.8.132.1/32
> 
> external_acl_type session ttl=300 children=20 negative_ttl=10
> concurrency=200 %SRC /usr/lib/squid/squid_session -t 3600
> 
> acl session external session
> 
> acl localnet src 192.168.80.0/23
> 
> http_access allow myserver      (this is my webserver that I want to
> allow unrestricted access to)
> http_access allow to_localbox    (since I have an AUP html file on this
> web server; allow access)
> deny_info http://192.168.80.5/index.html?url=%s session   (sets up the
> session html page; redirect connection here)
> http_access deny !Safe_ports   (default config from squid; it is defined
> I just didn't cut and paste the ACL for it)
> http_access deny !session       ( if you don't have a session defined
> then no way; you're stuck)
> http_access allow session
> 
>  
> http_access deny all

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux