Search squid archive

Re: Trouble with Session Handler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Amos,

Thanks so much for the prompt reply.    I've got it working, but
please see inline below:

On 25 July 2014 21:30, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
> On 25/07/2014 7:13 p.m., Cemil Browne wrote:
>> Hi all, I'm trying to set up a situation as follows:  I have a web
>> server at [server]:80   .  I've got squid installed on [server]:3000 .
>
> This is back to front.
>
> Squid should be the gateway listening on [server]:80, with the web
> server listening on a private IP of the machine, also port 80 if
> possible (ie localhost:80).

Agreed - for testing purposes at this point, final IPs/Ports TBD.
Thank you for the advice.
>
>
>> The requirement is to ensure that any request to web server protected
>> content (/FP/*) is redirected to a splash page (terms and conditions),
>> accepted, then allowed.  I've got most of the way, but the last bit
>> doesn't work.  This is on a private network.
>>
>> Squid config:
>>
>> http_port 3000 accel defaultsite=192.168.56.101
>> cache_peer 127.0.0.1 parent 80 0 no-query originserver
>>
>>
>> external_acl_type session ttl=3 concurrency=100 %SRC
>> /usr/lib/squid/ext_session_acl -a -T 60
>>
>> acl session_login external session LOGIN
>>
>> external_acl_type session_active_def ttl=3 concurrency=100 %SRC
>> /usr/lib/squid/ext_session_acl -a -T 60
>>
>
> Each of the above two external_acl_type definitions runs different
> helper instances. Since you have not defined a on-disk database that
> they share the session data will be stored in memory for whichever one
> is startign teh sessions, but inaccessible to teh one checking if
> session exists.

Interesting - I've changed this and it works, however, I was following
the instructions at:

http://wiki.squid-cache.org/ConfigExamples/Portal/Splash

Which has two different external_acl_type definitions - agreed that
the example at the wiki stores to disk, but I tried that as well.
Perhaps I stored to a file rather than a directory (/tmp/session.db)
and that's the issue?

>
>
>> acl session_is_active external session_active_def
>>
>
> What you should have is exactly *1* external_acl_type directive, used by
> two different acl directives.
>
> Like so:
>   external_acl_type session ttl=3 concurrency=100 %SRC
> /usr/lib/squid/ext_session_acl -a -T 60
>
>   acl session_login external session LOGIN
>   acl session_is_active external session
>
>> acl accepted_url url_regex -i accepted.html.*
>> acl splash_url url_regex -i ^http://192.168.56.101:3000/splash.html$
>> acl protected url_regex FP.*
>
> Regex has implicit .* before and after every pattern unless an ^ or $
> anchor is specified. You do not have to write the .*

Thanks again - good to know.

>
> Also, according to your policy description that last pattern should be
> matching path prefix "/FP" not any URL containing "FP".
>
>>
>> http_access allow splash_url
>> http_access allow accepted_url session_login
>>
>> http_access deny protected !session_is_active
>>
>> deny_info http://192.168.56.101:3000/splash.html session_is_active
>
> It is best to use splash.html as static page deliverd in place of the
> access denied page:
>  deny_info splash.html session_is_active
>
> then have the ToC accept button URL be the one which begins the session.
>
> So stitching the above changes into your squid.conf you should have this:
>
>   http_port 192.168.56.101:80 accel defaultsite=192.168.56.101
>   cache_peer 127.0.0.1 parent 80 0 no-query originserver
>
>   external_acl_type session ttl=3 concurrency=100 %SRC
> /usr/lib/squid/ext_session_acl -a -T 60
>
>   acl session_login external session LOGIN
>   acl session_is_active external session
>   deny_info /etc/squid/splash.html session_is_active
>
>   acl accepted_url urlpath_regex -i accepted.html$
>   acl splash_url url_regex -i ^http://192.168.56.101/splash.html$
>   acl protected urlpath_regex ^/FP
>
>   http_access allow splash_url
>   http_access allow accepted_url session_login
>   http_access deny protected !session_is_active
>
>
> Amos

Thanks again - I've made some minor tweaks to what you've put above
and this is now working.  I really appreciate the help on this one -
got me over a serious hump!

Thanks,
Cemil




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux