Ok - it appears that my new configuration is working: acl splash_page url_regex -i ^http://192.168.13.3 # Set up the session helper in active mode. external_acl_type session ipv4 concurrency=100 ttl=3 %SRC /usr/local/squid/libexec/ext_session_acl -a -T 60 -b /usr/local/squid/var/lib/squid/session/ # Pass the LOGIN command to the session helper with this ACL acl session_login external session LOGIN # Set up the normal session helper. external_acl_type session_active_def ipv4 concurrency=100 ttl=3 %SRC /usr/local/squid/libexec/ext_session_acl -a -T 60 -b /usr/local/squid/var/lib/squid/session/ # Normal session ACL as per simple example acl session_is_active external session_active_def # ACL to match URL acl clicked_login_url url_regex -i ^http://192.168.13.3/renew_session.html # First check for the login URL. If present, login session http_access allow clicked_login_url session_login http_access allow splash_page # If we get here, URL not present, so renew session or deny request. http_access deny !session_is_active # Deny page to display deny_info http://192.168.13.3 session_is_active Tal On Sat, Jul 14, 2012 at 5:25 PM, Jack Black <secretagent101@xxxxxxxxx> wrote: > It appears that this is happening because according to the above > configuration, http://192.168.13.3 is the page that it should redirect > clients to while only the page http://192.168.13.3/renew_session.html > is allowed to be loaded. http://192.168.13.3/renew_session.html is > also the page that resets the connection in this case. I'm pretty sure > all I need is to add http://192.168.13.3 to the allow list and > everything should work again. Does that make sense? If so, looks like > I'll need to do some reading on squid ACLs to find out how to do this > properly. > > On Sat, Jul 14, 2012 at 10:28 AM, Jack Black <secretagent101@xxxxxxxxx> wrote: >> Hmm. The configuration I'm using in squid.conf is this: >> >> # Set up the session helper in active mode. Mind the wrap - this is one line: >> external_acl_type session ipv4 concurrency=100 ttl=3 %SRC >> /usr/local/squid/libexec/ext_session_acl -a -T 60 -b >> /usr/local/squid/var/lib/squid/session/ >> >> # Pass the LOGIN command to the session helper with this ACL >> acl session_login external session LOGIN >> >> # Set up the normal session helper. Mind the wrap - this is one line: >> external_acl_type session_active_def ipv4 concurrency=100 ttl=3 %SRC >> /usr/local/squid/libexec/ext_session_acl -a -T 60 -b >> /usr/local/squid/var/lib/squid/session/ >> >> # Normal session ACL as per simple example >> acl session_is_active external session_active_def >> >> # ACL to match URL >> acl clicked_login_url url_regex -i ^http://192.168.13.3/renew_session.html >> >> # First check for the login URL. If present, login session >> http_access allow clicked_login_url session_login >> >> # If we get here, URL not present, so renew session or deny request. >> http_access deny !session_is_active >> >> # Deny page to display >> deny_info http://192.168.13.3 session_is_active >> >> renew_session.html being the page I want to have a link to on the >> splash page that will reset the session. For some reason, whenever it >> tries to redirect a browser to the splash page with this >> configuration, the browser ends up showing me a "The page isn't >> redirecting properly" error instead of loading the page. Same thing >> happens if I replace http://192.168.13.3/renew_session.html with any >> other page. It appears that the only way the configuration works is if >> the deny_info line and the url_regex are exactly the same. Am I doing >> something wrong? >> >> Tal >> >> On Sat, Jul 14, 2012 at 9:52 AM, Jack Black <secretagent101@xxxxxxxxx> wrote: >>> Oh - that makes way more sense than what I was doing. Thanks! >>> >>> Tal >>> >>> On Sat, Jul 14, 2012 at 4:21 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: >>>> On 14/07/2012 3:13 p.m., Jack Black wrote: >>>>> >>>>> Hi. >>>>> >>>>> According to this page: >>>>> >>>>> http://wiki.squid-cache.org/ConfigExamples/Portal/Splash >>>>> >>>>> Active Mode is supposed to prevent random software like anti-viruses >>>>> from resetting the session when using ext_session_acl. Is this only >>>>> true for software that uses TCP port 80, but NOT HTTP? I have >>>>> configured active mode, and it works, but if my anti-virus checks >>>>> online for updates (which it does all the time), the session gets >>>>> reset and the browser never shows the splash page. The antivirus >>>>> appears to use HTTP, since the log file shows this: >>>>> >>>>> TCP_DENIED/302 354 GET >>>>> http://download353.avast.com/iavs5x/prod-ais.vpx - HIER_NONE/- >>>>> text/html >>>>> >>>>> Which also indicates that it's what received the splash page. Is this >>>>> expected behaviour? Is there a way to make sure that only a browser >>>>> can reset the session and ignore other software that may use the HTTP >>>>> protocol? >>>> >>>> >>>> The expected behaviour is that everything making HTTP requests from the box >>>> gets DENIED/302 splash page until you click on some link presented in that >>>> page. thus manually requestign the "login" URL. >>>> >>>> Amos
