Hi Amos, Thanks so much for the prompt reply. I've got it working, but please see inline below: On 25 July 2014 21:30, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 25/07/2014 7:13 p.m., Cemil Browne wrote: >> Hi all, I'm trying to set up a situation as follows: I have a web >> server at [server]:80 . I've got squid installed on [server]:3000 . > > This is back to front. > > Squid should be the gateway listening on [server]:80, with the web > server listening on a private IP of the machine, also port 80 if > possible (ie localhost:80). Agreed - for testing purposes at this point, final IPs/Ports TBD. Thank you for the advice. > > >> The requirement is to ensure that any request to web server protected >> content (/FP/*) is redirected to a splash page (terms and conditions), >> accepted, then allowed. I've got most of the way, but the last bit >> doesn't work. This is on a private network. >> >> Squid config: >> >> http_port 3000 accel defaultsite=192.168.56.101 >> cache_peer 127.0.0.1 parent 80 0 no-query originserver >> >> >> external_acl_type session ttl=3 concurrency=100 %SRC >> /usr/lib/squid/ext_session_acl -a -T 60 >> >> acl session_login external session LOGIN >> >> external_acl_type session_active_def ttl=3 concurrency=100 %SRC >> /usr/lib/squid/ext_session_acl -a -T 60 >> > > Each of the above two external_acl_type definitions runs different > helper instances. Since you have not defined a on-disk database that > they share the session data will be stored in memory for whichever one > is startign teh sessions, but inaccessible to teh one checking if > session exists. Interesting - I've changed this and it works, however, I was following the instructions at: http://wiki.squid-cache.org/ConfigExamples/Portal/Splash Which has two different external_acl_type definitions - agreed that the example at the wiki stores to disk, but I tried that as well. Perhaps I stored to a file rather than a directory (/tmp/session.db) and that's the issue? > > >> acl session_is_active external session_active_def >> > > What you should have is exactly *1* external_acl_type directive, used by > two different acl directives. > > Like so: > external_acl_type session ttl=3 concurrency=100 %SRC > /usr/lib/squid/ext_session_acl -a -T 60 > > acl session_login external session LOGIN > acl session_is_active external session > >> acl accepted_url url_regex -i accepted.html.* >> acl splash_url url_regex -i ^http://192.168.56.101:3000/splash.html$ >> acl protected url_regex FP.* > > Regex has implicit .* before and after every pattern unless an ^ or $ > anchor is specified. You do not have to write the .* Thanks again - good to know. > > Also, according to your policy description that last pattern should be > matching path prefix "/FP" not any URL containing "FP". > >> >> http_access allow splash_url >> http_access allow accepted_url session_login >> >> http_access deny protected !session_is_active >> >> deny_info http://192.168.56.101:3000/splash.html session_is_active > > It is best to use splash.html as static page deliverd in place of the > access denied page: > deny_info splash.html session_is_active > > then have the ToC accept button URL be the one which begins the session. > > So stitching the above changes into your squid.conf you should have this: > > http_port 192.168.56.101:80 accel defaultsite=192.168.56.101 > cache_peer 127.0.0.1 parent 80 0 no-query originserver > > external_acl_type session ttl=3 concurrency=100 %SRC > /usr/lib/squid/ext_session_acl -a -T 60 > > acl session_login external session LOGIN > acl session_is_active external session > deny_info /etc/squid/splash.html session_is_active > > acl accepted_url urlpath_regex -i accepted.html$ > acl splash_url url_regex -i ^http://192.168.56.101/splash.html$ > acl protected urlpath_regex ^/FP > > http_access allow splash_url > http_access allow accepted_url session_login > http_access deny protected !session_is_active > > > Amos Thanks again - I've made some minor tweaks to what you've put above and this is now working. I really appreciate the help on this one - got me over a serious hump! Thanks, Cemil
