Re: [squid-users] ext_session_acl active mode

From: Jack Black <>
Date: Sat, 14 Jul 2012 10:28:09 -0600

Hmm. The configuration I'm using in squid.conf is this:

# Set up the session helper in active mode. Mind the wrap - this is one line:
external_acl_type session ipv4 concurrency=100 ttl=3 %SRC
/usr/local/squid/libexec/ext_session_acl -a -T 60 -b

# Pass the LOGIN command to the session helper with this ACL
acl session_login external session LOGIN

# Set up the normal session helper. Mind the wrap - this is one line:
external_acl_type session_active_def ipv4 concurrency=100 ttl=3 %SRC
/usr/local/squid/libexec/ext_session_acl -a -T 60 -b

# Normal session ACL as per simple example
acl session_is_active external session_active_def

# ACL to match URL
acl clicked_login_url url_regex -i ^

# First check for the login URL. If present, login session
http_access allow clicked_login_url session_login

# If we get here, URL not present, so renew session or deny request.
http_access deny !session_is_active

# Deny page to display
deny_info session_is_active

renew_session.html being the page I want to have a link to on the
splash page that will reset the session. For some reason, whenever it
tries to redirect a browser to the splash page with this
configuration, the browser ends up showing me a "The page isn't
redirecting properly" error instead of loading the page. Same thing
happens if I replace with any
other page. It appears that the only way the configuration works is if
the deny_info line and the url_regex are exactly the same. Am I doing
something wrong?


On Sat, Jul 14, 2012 at 9:52 AM, Jack Black <> wrote:
> Oh - that makes way more sense than what I was doing. Thanks!
> Tal
> On Sat, Jul 14, 2012 at 4:21 AM, Amos Jeffries <> wrote:
>> On 14/07/2012 3:13 p.m., Jack Black wrote:
>>> Hi.
>>> According to this page:
>>> Active Mode is supposed to prevent random software like anti-viruses
>>> from resetting the session when using ext_session_acl. Is this only
>>> true for software that uses TCP port 80, but NOT HTTP? I have
>>> configured active mode, and it works, but if my anti-virus checks
>>> online for updates (which it does all the time), the session gets
>>> reset and the browser never shows the splash page. The antivirus
>>> appears to use HTTP, since the log file shows this:
>>> TCP_DENIED/302 354 GET
>>> - HIER_NONE/-
>>> text/html
>>> Which also indicates that it's what received the splash page. Is this
>>> expected behaviour? Is there a way to make sure that only a browser
>>> can reset the session and ignore other software that may use the HTTP
>>> protocol?
>> The expected behaviour is that everything making HTTP requests from the box
>> gets DENIED/302 splash page until you click on some link presented in that
>> page. thus manually requestign the "login" URL.
>> Amos
Received on Sat Jul 14 2012 - 16:28:18 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 15 2012 - 12:00:02 MDT