Craig wrote:
> I'm working on setting up squid_session to point users to an acceptable use
> policy before they are allowed to surf and I just want to get a sanity check
> on my config.
>
> According the man pages (http://linuxreviews.org/man/squid_session/) and
> several posts (i.e.
> http://www.mail-archive.com/squid-users@squid-cache.org/msg45599.html) found
> in this archive...
>
> I should have the following lines in the TAG acl section of squid.conf:
>
> external_acl_type session ttl=300 negative_ttl=0 children=1
> concurrency=200 %LOGIN /usr/lb/squid/squid_session
> acl session external session
>
> (note: /usr/lib/squid/ is the where squid_session was put when squid
> installed)
>
> Then in the TAG http_access section, I should have the following:
>
> http_access deny !session
>
But what else do you have? And in what order? The following wouldn't
work...
http_access allow my_net
http_access deny !session
... for someone in "my_net" as http_access processing exits on the
first match.
> And finally in the TAG deny_info section, I place the following line:
>
> deny_info http://your.server/bannerpage?url=%s session
>
> making sure that ?url=%s follows whatever url I put there for my AUP page.
>
?url=%s is an argument passed to "bannerpage" to allow the client to
continue surfing after accepting the AUP, so that sounds good.
Obviously it won't make a bit of difference when using a static banner page.
>
>
> However, the above settings did not force the test web client (configured to
> use the proxy) to view the url for the http://your.server/bannerpage page
> (currently a static web page to check functionality), so I changed the first
> line to be:
>
> external_acl_type session ttl=300 negative_ttl=0 children=1
> concurrency=200 %LOGIN /usr/local/squid/libexec/squid_session -a
>
This would never start a session. The "-a" argument requires a session
to be explicitly started and also allows a session to be explicitly
ended. This external_acl_type definition does not allow for that.
> (note the -a at the end)
> However, that just made the web client load the requested page really slow
> without loading the url I for the AUP.
>
Hmmm... If it's not pushing you to the AUP page, it shouldn't have any
effect on the transfer speed.
> I don't have a database set up, I was just going to let the memory hold the
> session details.
>
> Why isn't it redirecting to the AUP? Any suggestions? Am I missing
> something obvious?
>
Check the order of your http_access lines. Look for clues in your
cache.log.
> Thanks.
>
> Craig L. Bowser
> Information Assurance Manager
> -------------------------------
> To lead a symphony You must occasionally turn your back on the crowd. -
> Anonymous
>
>
Chris
Received on Fri Dec 28 2007 - 15:27:05 MST
This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:02 MST