[squid-users] delay on session acceptance with AUP redirection

2010-04-01 Thread Johnson, S 
I've got one of my squid/dansguardian boxes configured for transparent proxy 
using an UAP to authorize the connection.  What happens is the AUP shows, the 
user clicks on the accept link (which is just a URL forward to where they were 
originally going) then it drops them right back into the AUP.  A session was 
never being created for the user (or so I thought).

In the logs I can see the 302 denied show which causes the redirection:
01/Apr/2010,14:38:53, 
0,192.168.80.245,TCP_DENIED/302,421,GET,http://www.yahoo.com/,-,NONE/-,text/html

This should be easy to troubleshoot, however in working on this issue I 
discovered that if I click on the Accept AUP policy link 3 or 4 times then it 
eventually gives me the green light and sets up a session for me.  Then 
browsing from there on out is ok.  I thought I had the problem resolved a few 
times but discovered that it wasn't after a few other people tried it out.

This is my squid.conf


acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl to_localbox dst 192.168.80.5/32
acl mywebserver dst 34.8.132.1/32  # this is my local web server

follow_x_forwarded_for allow localhost
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on


external_acl_type session ttl=300 children=20 negative_ttl=10  concurrency=200 
%SRC /usr/lib/squid/squid_session -t 1800

acl session external session

acl localnet src 192.168.80.0/23 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443     # https
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591     # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#  TAG: http_access
http_access allow mywebserver
http_access allow to_localbox
deny_info http://192.168.80.5/index.php?url=%s session
http_access allow session
http_access deny !session
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

Re: [squid-users] delay on session acceptance with AUP redirection

2010-04-01 Thread Henrik Nordström 
tor 2010-04-01 klockan 15:02 -0500 skrev Johnson, S:

 external_acl_type session ttl=300 children=20 negative_ttl=10  
 concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800

There should only be one children for squid_session. Having more than 1
children will give confusing results as each child keeps it's own
session database.

Also you want a much lover negative_ttl, or the user need to wait for 10
seconds before clicking the accept button.

Regards
Henrik

RE: [squid-users] delay on session acceptance with AUP redirection

2010-04-01 Thread Johnson, S 
Thank you!

-Original Message-
From: Henrik Nordström [mailto:hen...@henriknordstrom.net] 
Sent: Thursday, April 01, 2010 3:41 PM
To: Johnson, S
Cc: squid-users@squid-cache.org
Subject: Re: [squid-users] delay on session acceptance with AUP redirection

tor 2010-04-01 klockan 15:02 -0500 skrev Johnson, S:

 external_acl_type session ttl=300 children=20 negative_ttl=10  
 concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800

There should only be one children for squid_session. Having more than 1
children will give confusing results as each child keeps it's own
session database.

Also you want a much lover negative_ttl, or the user need to wait for 10
seconds before clicking the accept button.

Regards
Henrik


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.