On 25/07/2014 7:13 p.m., Cemil Browne wrote: > Hi all, I'm trying to set up a situation as follows: I have a web > server at [server]:80 . I've got squid installed on [server]:3000 . This is back to front. Squid should be the gateway listening on [server]:80, with the web server listening on a private IP of the machine, also port 80 if possible (ie localhost:80). > The requirement is to ensure that any request to web server protected > content (/FP/*) is redirected to a splash page (terms and conditions), > accepted, then allowed. I've got most of the way, but the last bit > doesn't work. This is on a private network. > > Squid config: > > http_port 3000 accel defaultsite=192.168.56.101 > cache_peer 127.0.0.1 parent 80 0 no-query originserver > > > external_acl_type session ttl=3 concurrency=100 %SRC > /usr/lib/squid/ext_session_acl -a -T 60 > > acl session_login external session LOGIN > > external_acl_type session_active_def ttl=3 concurrency=100 %SRC > /usr/lib/squid/ext_session_acl -a -T 60 > Each of the above two external_acl_type definitions runs different helper instances. Since you have not defined a on-disk database that they share the session data will be stored in memory for whichever one is startign teh sessions, but inaccessible to teh one checking if session exists. > acl session_is_active external session_active_def > What you should have is exactly *1* external_acl_type directive, used by two different acl directives. Like so: external_acl_type session ttl=3 concurrency=100 %SRC /usr/lib/squid/ext_session_acl -a -T 60 acl session_login external session LOGIN acl session_is_active external session > acl accepted_url url_regex -i accepted.html.* > acl splash_url url_regex -i ^http://192.168.56.101:3000/splash.html$ > acl protected url_regex FP.* Regex has implicit .* before and after every pattern unless an ^ or $ anchor is specified. You do not have to write the .* Also, according to your policy description that last pattern should be matching path prefix "/FP" not any URL containing "FP". > > http_access allow splash_url > http_access allow accepted_url session_login > > http_access deny protected !session_is_active > > deny_info http://192.168.56.101:3000/splash.html session_is_active It is best to use splash.html as static page deliverd in place of the access denied page: deny_info splash.html session_is_active then have the ToC accept button URL be the one which begins the session. So stitching the above changes into your squid.conf you should have this: http_port 192.168.56.101:80 accel defaultsite=192.168.56.101 cache_peer 127.0.0.1 parent 80 0 no-query originserver external_acl_type session ttl=3 concurrency=100 %SRC /usr/lib/squid/ext_session_acl -a -T 60 acl session_login external session LOGIN acl session_is_active external session deny_info /etc/squid/splash.html session_is_active acl accepted_url urlpath_regex -i accepted.html$ acl splash_url url_regex -i ^http://192.168.56.101/splash.html$ acl protected urlpath_regex ^/FP http_access allow splash_url http_access allow accepted_url session_login http_access deny protected !session_is_active Amos
