On 16/10/17 07:17, Klaus Tachtler wrote:
Hi Amos,
after a little bit more testing, of course I must agree with you, it
doesn't work as expected.
Please can you give me another advice? Where is my fault?
I tried to use the *ACTIVE* example from the squid documentation and
modified it a little bit on 3 parts of the code, BUT a LOOP are still
there!
https://wiki.squid-cache.org/ConfigExamples/Portal/Splash#Squid_Configuration_File_-_Active_Mode
--- code ---
# Set up the session helper in active mode. Mind the wrap - this is one
line: - *MODIFIED* - (all in one line)
external_acl_type session concurrency=100 ttl=3 negative_ttl=0
children-max=1 %LOGIN /usr/lib64/squid/ext_session_acl -a -T 60 -b
/var/lib/squid/sessions/
# Pass the LOGIN command to the session helper with this ACL
acl session_login external session LOGIN
# Normal session ACL as per simple example
acl session_is_active external session
# ACL to match URL - *MODIFIED* -
acl clicked_login_url url_regex -i http://my.pages.net/html/accept.php
# First check for the login URL. If present, login session
http_access allow clicked_login_url session_login
# If we get here, URL not present, so renew session or deny request.
http_access deny !session_is_active
# Deny page to display - *MODIFIED* - NOT using a template with
HTML-Code 511!
deny_info http://my.pages.net/html/splash.php?url=%u session_is_active
Please double-check the cacheing related headers on both your custom
URLs are set to make them non-cacheable. 302 is a weak substitute for
511 semantics, and requires caching headers to clearly and explicitly
prevent caching *and* to be followed by the client or the system can
breaks badly (which is why 511 was created).
Which exact version of Squid are you using? some of the early v4 had
issues with the format parameter changes which broke the active session
mode for a while.
Also, be aware that since the helper API is *only* using %LOGIN if any
visitor happens to send a request for the clicked_login_url without
credentials attached they will make a logged-in session for anonymous
access and the proxy becomes an 'open proxy' for any subsequent client
requests from *anywhere* for 63 seconds. Things like that are why %SRC
is usually used to make a session depend on things not as easily under
client control - such as src-IP.
If those don't work I'm stuck as well. The wiki config examples are ones
I used myself for many years before I moved to the sql_session helper.
Amos
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
