Okay,
I'll double check/test the redirector to make sure and give the
squidclient a test to check for cache control headers. But w/ the
whitelist i dont reload squid eachtime. The whitelist is actually just
used to allow specific domains through and then i use iptables to
control who gets sent to the squid proxy in the first place. So once
they are authenticated they no longer go through the proxy or at least
through this instance of squid.
Thanks for the help.
On Thu, Oct 6, 2011 at 5:07 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 01/10/11 06:18, 0xception wrote:
>>
>> Hi,
>>
>> So i'm attempting to setup squid to interact with a hotspot/portal
>> system where squid uses deny_info to redirect users to a terms page.
>> Once they login their packets are marked and do not go through the
>> proxy anymore. However when i configure squid to use deny_info like
>> below it seems to cache the redirect in the users browser. So for
>> about 5-10 min after they have logged in and are no longer going
>> through the proxy they still get redirected every time they attempt to
>> go to that original requesting page.
>>
>> cache deny all
>
> ... prevents Squid storing things itself. This is not usually a problem.
>
>> ...
>> acl whitelist dstdomain "/etc/squid/domains.lst"
>> deny_info http://login.domain.com/ whitelist
>> http_access deny !whitelist
>>
>> I've tried using a url_redirector script to handle the redirect and
>> using 307 instead of a 302 code but both seem to be cached in browser.
>> Is there anyways to force the browser to not cache the redirect? or
>> perhaps another way to go about this? Example use case below, thanks
>> for any help/advise.
>
> Interesting. The redirector methods should have worked. It is not bound to
> produce identical results on every request like dstdomain.
>
>>
>> Example:
>> 1. User opens web browser and requests http://xkcd.com
>> 2. Request to http://xkcd.com is then redirected with a HTTP 302 code
>> to Login page.
>> 3. User authenticates and accepts terms and conditions
>> 4. User requests http://xkcd.com again after authenticating. They are
>> redirected back to the login page
>
> dstdomain is a static ACL only re-loaded during squid startup. You update
> the whitelist and restart your whole Squid on every user login?
>
> This is why external_acl_type ACLs are used for login splash pages and
> sessions. They are completely dynamic in input->output mapping with tunable
> TTL on the resulting action.
>
>> 5. All other webpages and domains work as expected with out problems.
>>
>> Thanks,
>> Using squid 3.1.11
>
> Overall, this is very strange. Squid does not send cache control details on
> generated 30x replies. So caching is not permitted.
> You can verify that with "squidclient http://xkcd.com/" to your Squid. It
> sould look something like this:
>
> ### squidclient http://c.com/
> HTTP/1.1 302 Moved Temporarily
> Server: squid/3.HEAD-BZR
> Mime-Version: 1.0
> Date: Thu, 06 Oct 2011 11:50:49 GMT
> Content-Type: text/html
> Content-Length: 0
> Location: http://login.domain.com/
> X-Cache: MISS from troja0
> Via: 1.1 troja0 (squid/3.HEAD-BZR)
> Connection: close
>
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE9 or 3.1.15
> Beta testers wanted for 3.2.0.12
>
Received on Fri Oct 07 2011 - 18:18:02 MDT
This archive was generated by hypermail 2.2.0 : Sat Oct 08 2011 - 12:00:02 MDT