On 25/07/2014 7:13 p.m., Cemil Browne wrote:
> Hi all, I'm trying to set up a situation as follows: I have a web
> server at [server]:80 . I've got squid installed on [server]:3000 .
This is back to front.
Squid should be the gateway listening on [server]:80, with the web
server listening on a private IP of the machine, also port 80 if
possible (ie localhost:80).
> The requirement is to ensure that any request to web server protected
> content (/FP/*) is redirected to a splash page (terms and conditions),
> accepted, then allowed. I've got most of the way, but the last bit
> doesn't work. This is on a private network.
>
> Squid config:
>
> http_port 3000 accel defaultsite=192.168.56.101
> cache_peer 127.0.0.1 parent 80 0 no-query originserver
>
>
> external_acl_type session ttl=3 concurrency=100 %SRC
> /usr/lib/squid/ext_session_acl -a -T 60
>
> acl session_login external session LOGIN
>
> external_acl_type session_active_def ttl=3 concurrency=100 %SRC
> /usr/lib/squid/ext_session_acl -a -T 60
>
Each of the above two external_acl_type definitions runs different
helper instances. Since you have not defined a on-disk database that
they share the session data will be stored in memory for whichever one
is startign teh sessions, but inaccessible to teh one checking if
session exists.
> acl session_is_active external session_active_def
>
What you should have is exactly *1* external_acl_type directive, used by
two different acl directives.
Like so:
external_acl_type session ttl=3 concurrency=100 %SRC
/usr/lib/squid/ext_session_acl -a -T 60
acl session_login external session LOGIN
acl session_is_active external session
> acl accepted_url url_regex -i accepted.html.*
> acl splash_url url_regex -i ^http://192.168.56.101:3000/splash.html$
> acl protected url_regex FP.*
Regex has implicit .* before and after every pattern unless an ^ or $
anchor is specified. You do not have to write the .*
Also, according to your policy description that last pattern should be
matching path prefix "/FP" not any URL containing "FP".
>
> http_access allow splash_url
> http_access allow accepted_url session_login
>
> http_access deny protected !session_is_active
>
> deny_info http://192.168.56.101:3000/splash.html session_is_active
It is best to use splash.html as static page deliverd in place of the
access denied page:
deny_info splash.html session_is_active
then have the ToC accept button URL be the one which begins the session.
So stitching the above changes into your squid.conf you should have this:
http_port 192.168.56.101:80 accel defaultsite=192.168.56.101
cache_peer 127.0.0.1 parent 80 0 no-query originserver
external_acl_type session ttl=3 concurrency=100 %SRC
/usr/lib/squid/ext_session_acl -a -T 60
acl session_login external session LOGIN
acl session_is_active external session
deny_info /etc/squid/splash.html session_is_active
acl accepted_url urlpath_regex -i accepted.html$
acl splash_url url_regex -i ^http://192.168.56.101/splash.html$
acl protected urlpath_regex ^/FP
http_access allow splash_url
http_access allow accepted_url session_login
http_access deny protected !session_is_active
Amos
Received on Fri Jul 25 2014 - 11:31:06 MDT
This archive was generated by hypermail 2.2.0 : Sat Jul 26 2014 - 12:00:05 MDT