Re: [squid-users] ext_session_acl active mode

From: Jack Black <>
Date: Sat, 14 Jul 2012 17:25:47 -0600

It appears that this is happening because according to the above
configuration, is the page that it should redirect
clients to while only the page
is allowed to be loaded. is
also the page that resets the connection in this case. I'm pretty sure
all I need is to add to the allow list and
everything should work again. Does that make sense? If so, looks like
I'll need to do some reading on squid ACLs to find out how to do this

On Sat, Jul 14, 2012 at 10:28 AM, Jack Black <> wrote:
> Hmm. The configuration I'm using in squid.conf is this:
> # Set up the session helper in active mode. Mind the wrap - this is one line:
> external_acl_type session ipv4 concurrency=100 ttl=3 %SRC
> /usr/local/squid/libexec/ext_session_acl -a -T 60 -b
> /usr/local/squid/var/lib/squid/session/
> # Pass the LOGIN command to the session helper with this ACL
> acl session_login external session LOGIN
> # Set up the normal session helper. Mind the wrap - this is one line:
> external_acl_type session_active_def ipv4 concurrency=100 ttl=3 %SRC
> /usr/local/squid/libexec/ext_session_acl -a -T 60 -b
> /usr/local/squid/var/lib/squid/session/
> # Normal session ACL as per simple example
> acl session_is_active external session_active_def
> # ACL to match URL
> acl clicked_login_url url_regex -i ^
> # First check for the login URL. If present, login session
> http_access allow clicked_login_url session_login
> # If we get here, URL not present, so renew session or deny request.
> http_access deny !session_is_active
> # Deny page to display
> deny_info session_is_active
> renew_session.html being the page I want to have a link to on the
> splash page that will reset the session. For some reason, whenever it
> tries to redirect a browser to the splash page with this
> configuration, the browser ends up showing me a "The page isn't
> redirecting properly" error instead of loading the page. Same thing
> happens if I replace with any
> other page. It appears that the only way the configuration works is if
> the deny_info line and the url_regex are exactly the same. Am I doing
> something wrong?
> Tal
> On Sat, Jul 14, 2012 at 9:52 AM, Jack Black <> wrote:
>> Oh - that makes way more sense than what I was doing. Thanks!
>> Tal
>> On Sat, Jul 14, 2012 at 4:21 AM, Amos Jeffries <> wrote:
>>> On 14/07/2012 3:13 p.m., Jack Black wrote:
>>>> Hi.
>>>> According to this page:
>>>> Active Mode is supposed to prevent random software like anti-viruses
>>>> from resetting the session when using ext_session_acl. Is this only
>>>> true for software that uses TCP port 80, but NOT HTTP? I have
>>>> configured active mode, and it works, but if my anti-virus checks
>>>> online for updates (which it does all the time), the session gets
>>>> reset and the browser never shows the splash page. The antivirus
>>>> appears to use HTTP, since the log file shows this:
>>>> TCP_DENIED/302 354 GET
>>>> - HIER_NONE/-
>>>> text/html
>>>> Which also indicates that it's what received the splash page. Is this
>>>> expected behaviour? Is there a way to make sure that only a browser
>>>> can reset the session and ignore other software that may use the HTTP
>>>> protocol?
>>> The expected behaviour is that everything making HTTP requests from the box
>>> gets DENIED/302 splash page until you click on some link presented in that
>>> page. thus manually requestign the "login" URL.
>>> Amos
Received on Sat Jul 14 2012 - 23:25:55 MDT

This archive was generated by hypermail 2.2.0 : Sun Jul 15 2012 - 12:00:02 MDT