HI,
I am trying to "debug" my configuration to get squid_session working.
I am following a recent thread about this issue, but couldn't solve my
problem yet. I read some old threads, but, if I didn't missed
something, my config is like expected.
I based my config lines in squid_session.8 man page.
My main question is: will a directive like "http_access deny
somehosts !session" work I explained here?
Explanation (squid-2.7.STABLE6):
============================
excerpt from squid.conf:
----------------------------------
external_acl_type session ttl=300 negative_ttl=0 children=1
concurrency=200 %LOGIN /usr/libexec/squid_session -t 3600 -b
/squidlogs/var/session.db
acl session external session
http_access deny somehosts !session
deny_info http://anotherhost/rules/?obs=001&url=%s session
Lines are in this order. There is a "proxy_auth REQUIRED" before
session ACLs. There is not any "allow" directive before "http_access
deny somehosts !session", just denies.
Each "deny" directive is associated with a "deny_info" directive.
The location "http://anotherhost/rules/?obs=001&url=%s session" just
shows a message (plain/html text) with a "click here" link (%s) and
shows the value of $obs.
"somehosts" refers to "acl somehosts src "/etc/squid/somehosts.txt",
where somehosts.txt has a line such as 192.168.1.0/24 .
Squid is asking for user/password. Everything is working as expected,
except for squid_session.
What I want/understood:
====================
-First time a user logs in (lets say is joebob) AND if it is coming
from "somehosts", squid starts a session and redirects to indicated
location (deny_info);
-While session does not times out ( 1 hour = 3600s ), user will not
get redirected. After the timeout period, user gets redirected again
IF it is coming from somehosts.
-If user joebob logs in from another hosts ( != somehosts ), a session
is started (or updated) BUT it will not get redirected. If the session
is not updated/created, in this situation, there is no problem, but it
is important that user does __not__ get redirected, even if the
session has timed out.
-If joebob keeps using internet, so, at each hour (3600s aprox) it
would be redirected again (sure, it keeps coming from somehosts). I
joebob stop using internet and come back later and session has timed
out and if it is coming from "somehosts", so, it gets redirected as I
described.
-As I am using "-b /squidlogs/var/session.db" I can
shutdown/rotate/reconfigure squid and sessions will remain.
-As I am using %LOGIN, my session keys are the login names (joebob,
for example).
What I observed:
==============
-User gets a first redirect, but didn't get other redirects after
that. I tested with joebob and, using the same source IP, I didn't get
redirected for the rest of the day, even if I close my browser an logs
in again or use another browser. I tested this coming from the same
src IP I got redirected once.
-I asked from other users to do the test, but they got just the first
redirect too.
-/squidlogs/var/session.db is populated when I use "-k reconfigure",
so it is working. Using some perl code from internet, I could read
session.db, but I just could read the first field (logins, such as
joebob). The second field appears like "#çäI", but users in this file
are the ones using "somehosts", so, I imagine that "... somehosts
!session" ACL is working.
That is it.
Please, help me to find what I missed (or misunderstood).
If someone can point me to man pages I missed, it would be great.
I tried to understand squid_session.c, but I cant "speak" C language. :-)
Thank you.
Best regards,
Cássio
Received on Tue Apr 14 2009 - 21:35:26 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 15 2009 - 12:00:02 MDT