Re: [squid-users] Redirect Cached on deny_info from Amos Jeffries on 2011-10-06 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 07 Oct 2011 01:07:52 +1300

On 01/10/11 06:18, 0xception wrote:
> Hi,
>
> So i'm attempting to setup squid to interact with a hotspot/portal
> system where squid uses deny_info to redirect users to a terms page.
> Once they login their packets are marked and do not go through the
> proxy anymore. However when i configure squid to use deny_info like
> below it seems to cache the redirect in the users browser. So for
> about 5-10 min after they have logged in and are no longer going
> through the proxy they still get redirected every time they attempt to
> go to that original requesting page.
>
> cache deny all

... prevents Squid storing things itself. This is not usually a problem.

> ...
> acl whitelist dstdomain "/etc/squid/domains.lst"
> deny_info http://login.domain.com/ whitelist
> http_access deny !whitelist
>
> I've tried using a url_redirector script to handle the redirect and
> using 307 instead of a 302 code but both seem to be cached in browser.
> Is there anyways to force the browser to not cache the redirect? or
> perhaps another way to go about this? Example use case below, thanks
> for any help/advise.

Interesting. The redirector methods should have worked. It is not bound
to produce identical results on every request like dstdomain.

>
> Example:
> 1. User opens web browser and requests http://xkcd.com
> 2. Request to http://xkcd.com is then redirected with a HTTP 302 code
> to Login page.
> 3. User authenticates and accepts terms and conditions
> 4. User requests http://xkcd.com again after authenticating. They are
> redirected back to the login page

dstdomain is a static ACL only re-loaded during squid startup. You
update the whitelist and restart your whole Squid on every user login?

This is why external_acl_type ACLs are used for login splash pages and
sessions. They are completely dynamic in input->output mapping with
tunable TTL on the resulting action.

> 5. All other webpages and domains work as expected with out problems.
>
> Thanks,
> Using squid 3.1.11

Overall, this is very strange. Squid does not send cache control details
on generated 30x replies. So caching is not permitted.
You can verify that with "squidclient http://xkcd.com/" to your
Squid. It sould look something like this:

### squidclient http://c.com/
HTTP/1.1 302 Moved Temporarily
Server: squid/3.HEAD-BZR
Mime-Version: 1.0
Date: Thu, 06 Oct 2011 11:50:49 GMT
Content-Type: text/html
Content-Length: 0
Location: http://login.domain.com/
X-Cache: MISS from troja0
Via: 1.1 troja0 (squid/3.HEAD-BZR)
Connection: close

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.15
   Beta testers wanted for 3.2.0.12

Received on Thu Oct 06 2011 - 12:08:02 MDT

This archive was generated by hypermail 2.2.0 : Sat Oct 08 2011 - 12:00:02 MDT