Forgot to mention - I rotate squid logs using -k rotate daily which is
not related as it happens even if I don't rotate it. I've noticed that
squid -k rotate causes 5 helper processes to be reduced to 1 (as seen
in ps -ef). I suspect this is a known issue.
Just thought I'd mention it although not related to my mysterious problem.
On 3 February 2014 10:21, P K <getpkme@xxxxxxxxx> wrote:
> Hi Amos,
>
>
> "squid -v"
>
> Squid Cache: Version 3.4.2
> configure options: '--enable-ssl' '--prefix=/usr/local/squid'
>
>
> I store the cookie on the parent domain (say domain.com). The reverse
> proxied site is x.domain.com, y.domain.com etc.. So the cookie is
> always made available by the browser. It works 99.5% of the time but
> starts to play up at night around 9 PM. I don't know if it provides
> any clues but it used to happen in the morning 8 AM ish. Then I
> changed the TTL values when the problem switched to night time.
>
> 8 AM problem (negative ttl defaults to ttl):
> ttl=3
>
>
> 9 PM problem: (current config)
> ttl=180 negative_ttl=0
>
>
> Thanks
>
> On 3 February 2014 09:35, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
>> On 3/02/2014 10:00 p.m., P K wrote:
>>> Hi,
>>>
>>> I've got a mysterious problem with Squid as reverse proxy and I would
>>> be grateful if someone could help me out. Basically, I use an external
>>> acl to validate the session id when someone accesses my site that is
>>> reverse proxied.
>>>
>>> ..snip..
>>>
>>> external_acl_type ext_session_page ttl=180 negative_ttl=0 %SRC
>>> %>{Cookie:;MYSESSIONID} /usr/bin/php /path/to/myvalidator.php
>>> acl user_session external ext_session_page
>>> http_access deny !user_session
>>> deny_info https://logon.domain.com/logon.php?url=%u user_session
>>>
>>> ..snip..
>>>
>>> My logon page logon.php creates a new session id and stores a cookie.
>>> When a user has successfully logged on, I redirect to his chosen site.
>>> Squid then validates the cookie using my external acl (OK or ERR).
>>> This works fine 99.5% of the time.
>>>
>>> But sometimes squid gets confused and sends the older session id (one
>>> before the current session id in deny_page) to my external acl which
>>> is really weird. As a result, the external acl keeps returning ERR.
>>> Then it sorts itself out. Or a restart squid sorts it out. What could
>>> be causing this? Is this a bug with squid? I've also noticed that it
>>> seems to happen at night around 9 PM ish.
>>>
>>> The logic is simple:
>>>
>>> 1. User visits the reverse proxied site (config not shown).
>>> 2. Squid checks the external acl to see if the cookie is valid.
>>> 3. If OK it lets it go to the site.
>>> 4. If ERR, logon.php is presented which creates a new session id and
>>> stores a cookie.
>>> 5. User logs on
>>> 6. If successful, logon.php redirects to the reverse proxied site. (At
>>> this point, external acl will be checked i.e. step 2. External acl
>>> will reply OK as the cookie is valid.)
>>> 7. If failed, logon.php does not redirect i.e. stays on deny_page.
>>>
>>
>> What is the output of squid -v please?
>>
>>
>> How are you fooling the browser into sending the same Cookie for all
>> requests no matter what domain is being fetched?
>>
>>
>> Squid sends the ACL helper the Cookie header sub-string starting with
>> "MYSESSIONID=" in the request it receives. I suspect the browser is
>> sending stale Cookies.
>>
>>
>> Amos
