Re: [squid-users] ext_session_acl active mode

Ok - it appears that my new configuration is working:

acl splash_page url_regex -i ^http://192.168.13.3

# Set up the session helper in active mode.
external_acl_type session ipv4 concurrency=100 ttl=3 %SRC
/usr/local/squid/libexec/ext_session_acl -a -T 60 -b
/usr/local/squid/var/lib/squid/session/

# Pass the LOGIN command to the session helper with this ACL
acl session_login external session LOGIN

# Set up the normal session helper.
external_acl_type session_active_def ipv4 concurrency=100 ttl=3 %SRC
/usr/local/squid/libexec/ext_session_acl -a -T 60 -b
/usr/local/squid/var/lib/squid/session/

# Normal session ACL as per simple example
acl session_is_active external session_active_def

# ACL to match URL
acl clicked_login_url url_regex -i ^http://192.168.13.3/renew_session.html

# First check for the login URL. If present, login session
http_access allow clicked_login_url session_login
http_access allow splash_page

# If we get here, URL not present, so renew session or deny request.
http_access deny !session_is_active

# Deny page to display
deny_info http://192.168.13.3 session_is_active

Tal

On Sat, Jul 14, 2012 at 5:25 PM, Jack Black <secretagent101_at_gmail.com> wrote:
> It appears that this is happening because according to the above
> configuration, http://192.168.13.3 is the page that it should redirect
> clients to while only the page http://192.168.13.3/renew_session.html
> is allowed to be loaded. http://192.168.13.3/renew_session.html is
> also the page that resets the connection in this case. I'm pretty sure
> all I need is to add http://192.168.13.3 to the allow list and
> everything should work again. Does that make sense? If so, looks like
> I'll need to do some reading on squid ACLs to find out how to do this
> properly.
>
> On Sat, Jul 14, 2012 at 10:28 AM, Jack Black <secretagent101_at_gmail.com> wrote:
>> Hmm. The configuration I'm using in squid.conf is this:
>>
>> # Set up the session helper in active mode. Mind the wrap - this is one line:
>> external_acl_type session ipv4 concurrency=100 ttl=3 %SRC
>> /usr/local/squid/libexec/ext_session_acl -a -T 60 -b
>> /usr/local/squid/var/lib/squid/session/
>>
>> # Pass the LOGIN command to the session helper with this ACL
>> acl session_login external session LOGIN
>>
>> # Set up the normal session helper. Mind the wrap - this is one line:
>> external_acl_type session_active_def ipv4 concurrency=100 ttl=3 %SRC
>> /usr/local/squid/libexec/ext_session_acl -a -T 60 -b
>> /usr/local/squid/var/lib/squid/session/
>>
>> # Normal session ACL as per simple example
>> acl session_is_active external session_active_def
>>
>> # ACL to match URL
>> acl clicked_login_url url_regex -i ^http://192.168.13.3/renew_session.html
>>
>> # First check for the login URL. If present, login session
>> http_access allow clicked_login_url session_login
>>
>> # If we get here, URL not present, so renew session or deny request.
>> http_access deny !session_is_active
>>
>> # Deny page to display
>> deny_info http://192.168.13.3 session_is_active
>>
>> renew_session.html being the page I want to have a link to on the
>> splash page that will reset the session. For some reason, whenever it
>> tries to redirect a browser to the splash page with this
>> configuration, the browser ends up showing me a "The page isn't
>> redirecting properly" error instead of loading the page. Same thing
>> happens if I replace http://192.168.13.3/renew_session.html with any
>> other page. It appears that the only way the configuration works is if
>> the deny_info line and the url_regex are exactly the same. Am I doing
>> something wrong?
>>
>> Tal
>>
>> On Sat, Jul 14, 2012 at 9:52 AM, Jack Black <secretagent101_at_gmail.com> wrote:
>>> Oh - that makes way more sense than what I was doing. Thanks!
>>>
>>> Tal
>>>
>>> On Sat, Jul 14, 2012 at 4:21 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>>>> On 14/07/2012 3:13 p.m., Jack Black wrote:
>>>>>
>>>>> Hi.
>>>>>
>>>>> According to this page:
>>>>>
>>>>> http://wiki.squid-cache.org/ConfigExamples/Portal/Splash
>>>>>
>>>>> Active Mode is supposed to prevent random software like anti-viruses
>>>>> from resetting the session when using ext_session_acl. Is this only
>>>>> true for software that uses TCP port 80, but NOT HTTP? I have
>>>>> configured active mode, and it works, but if my anti-virus checks
>>>>> online for updates (which it does all the time), the session gets
>>>>> reset and the browser never shows the splash page. The antivirus
>>>>> appears to use HTTP, since the log file shows this:
>>>>>
>>>>> TCP_DENIED/302 354 GET
>>>>> http://download353.avast.com/iavs5x/prod-ais.vpx - HIER_NONE/-
>>>>> text/html
>>>>>
>>>>> Which also indicates that it's what received the splash page. Is this
>>>>> expected behaviour? Is there a way to make sure that only a browser
>>>>> can reset the session and ignore other software that may use the HTTP
>>>>> protocol?
>>>>
>>>>
>>>> The expected behaviour is that everything making HTTP requests from the box
>>>> gets DENIED/302 splash page until you click on some link presented in that
>>>> page. thus manually requestign the "login" URL.
>>>>
>>>> Amos
Received on Sat Jul 14 2012 - 23:58:50 MDT