Re: [squid-users] Trying to implement Portal Splash

From: Amos Jeffries <>
Date: Sat, 13 Nov 2010 18:20:01 +1300

On 13/11/10 03:21, Jim Moseby wrote:
> Using Debian platform with 2.6.STABLE14, and am following the config
> example found at
> I cannot seem to make this work.
> The config example says...
> Paste the configuration file like this:
> # mind the wrap. this is one line: external_acl_type session ttl=60
> %SRC /usr/local/sbin/squid/squid_session -t 7200 -b
> /etc/squid/session.db
> acl new_users external session
> deny_info new_users
> http_access deny !new_users
> For the Debian package I had to modify the path to squid_session,
> else squid would not start. No big deal. Correct path for my system
> was: /usr/lib/squid/squid_session
> I also changed the deny_info target to a valid splash page on an
> accessible server. I made sure that the splash page can be loaded by
> any client if accessed directly.
> ...the config example then goes on to say...
> "This is just the snippet of config which causes the splash page and
> session to be enacted. Rules which permit the visitor use of the
> proxy are expected to be placed as appropriate below them. The basic
> default safety nets should as always be above them."
> This seems a bit ambiguous for people who are new to squid (like me).
> I have tried pasting the block of code in various places in my config
> file, and it seems no matter where I put it, I get the same result
> from IE: "The page cannot not displayed, Diagnose Connection
> Problems".

Your config should have the http_access rules broken into three labeled
  One labeled "Recommended minimum configuration" has the basic security
CLIENTS" ... as it says.
  and One labeled "And finally deny all other access to this proxy"

You can do almost anything you like in the middle section without
causing too much damage. Altering the others needs a bit of care.

> Squid and AUTH works perfectly otherwise. Ideally, I want a splash
> page that displays our AUP, and has a form for username and password.
> Upon entering a valid username and password, acceptance of the AUP id
> confirmed and access to the proxy is granted.
> TIA! Jim
> My squid.conf follows:
> #----- SQUID 2.6.STABLE14 -----#
> #splash
> external_acl_type session ttl=60 %SRC /usr/lib/squid/squid_session -t 7200 -b /etc/squid/session.db
> acl new_users external session
> deny_info http://proxy.efa.lan/aup.php new_users
> http_access deny !new_users
> http_access allow auth
> http_access deny all
<snip all the safety controls, which have been placed after "deny all">

Strange. This should be working. It is almost exactly the config I have
in action at several wifi POPs which that page was written about.

* Check that the /etc/squid/session.db file permissions are open for the
squid effective user to read/write.

  * Give it a try with a browser other than IE. They have diagnosis
tools which can show you which part of the transaction is failing and
details (firebug add-on for firefox or any of the webkit based browsers
have it built in).
  What you should expect to see there is a GET request for page, reply
of 302 status and followup GET request for your deny_info URL.


Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.9
   Beta testers wanted for
Received on Sat Nov 13 2010 - 05:20:06 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 15 2010 - 12:00:02 MST