Hi Amos,
"squid -v"
Squid Cache: Version 3.4.2
configure options: '--enable-ssl' '--prefix=/usr/local/squid'
I store the cookie on the parent domain (say domain.com). The reverse
proxied site is x.domain.com, y.domain.com etc.. So the cookie is
always made available by the browser. It works 99.5% of the time but
starts to play up at night around 9 PM. I don't know if it provides
any clues but it used to happen in the morning 8 AM ish. Then I
changed the TTL values when the problem switched to night time.
8 AM problem (negative ttl defaults to ttl):
ttl=3
9 PM problem: (current config)
ttl=180 negative_ttl=0
Thanks
On 3 February 2014 09:35, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> On 3/02/2014 10:00 p.m., P K wrote:
>> Hi,
>>
>> I've got a mysterious problem with Squid as reverse proxy and I would
>> be grateful if someone could help me out. Basically, I use an external
>> acl to validate the session id when someone accesses my site that is
>> reverse proxied.
>>
>> ..snip..
>>
>> external_acl_type ext_session_page ttl=180 negative_ttl=0 %SRC
>> %>{Cookie:;MYSESSIONID} /usr/bin/php /path/to/myvalidator.php
>> acl user_session external ext_session_page
>> http_access deny !user_session
>> deny_info https://logon.domain.com/logon.php?url=%u user_session
>>
>> ..snip..
>>
>> My logon page logon.php creates a new session id and stores a cookie.
>> When a user has successfully logged on, I redirect to his chosen site.
>> Squid then validates the cookie using my external acl (OK or ERR).
>> This works fine 99.5% of the time.
>>
>> But sometimes squid gets confused and sends the older session id (one
>> before the current session id in deny_page) to my external acl which
>> is really weird. As a result, the external acl keeps returning ERR.
>> Then it sorts itself out. Or a restart squid sorts it out. What could
>> be causing this? Is this a bug with squid? I've also noticed that it
>> seems to happen at night around 9 PM ish.
>>
>> The logic is simple:
>>
>> 1. User visits the reverse proxied site (config not shown).
>> 2. Squid checks the external acl to see if the cookie is valid.
>> 3. If OK it lets it go to the site.
>> 4. If ERR, logon.php is presented which creates a new session id and
>> stores a cookie.
>> 5. User logs on
>> 6. If successful, logon.php redirects to the reverse proxied site. (At
>> this point, external acl will be checked i.e. step 2. External acl
>> will reply OK as the cookie is valid.)
>> 7. If failed, logon.php does not redirect i.e. stays on deny_page.
>>
>
> What is the output of squid -v please?
>
>
> How are you fooling the browser into sending the same Cookie for all
> requests no matter what domain is being fetched?
>
>
> Squid sends the ACL helper the Cookie header sub-string starting with
> "MYSESSIONID=" in the request it receives. I suspect the browser is
> sending stale Cookies.
>
>
> Amos
