Re: [squid-users] squid_session problem

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 10 Jul 2012 13:48:23 +1200

On 10.07.2012 13:18, Jack Black wrote:
> Hi.
>
> Has anyone successfully used squid, and the squid_session helper in
> order to force users of the proxy server to see a webpage (be
> redirected to it) at the beginning of each session?

Yes, many.

>
> After spending weeks trying to get this to work, I was finally
> successful using squid version 3.1.10 on CentOS. Unfortunately, I
> need
> it to work on Ubuntu Server 12.04 with squid version 3.1.19 instead,
> and doing exactly the same thing as I did in CentOS, this fails to
> work on the Ubuntu Server, and my /var/log/squid3/cache.log has a
> line
> similar to:
>
>> externalAclLookup: 'session' queue overload (ch=0x....)

HINT: "queue overload" - you are getting more requests per second than
the helper can reply to. Even with TTL > 0.

I'm a bit suspicious that with children=1 the queue is only 2 entries
long (not good). Since it is based on number of helpers, and seems not
to account for concurrency. The log message could be due to that, but
that would not allow requests past the splash page, quite the opposite
in fact.

>
> for every http request my client sends (so a lot of those lines). The
> client is forwarded through the squid proxy directly to the page they
> request every time, and the splash page is always ignored. Here are
> the relevant lines from squid.conf:
>
>> external_acl_type session ttl=300 negative_ttl=0 children=1
>> concurrency=200 %SRC /usr/lib/squid3/squid_session -t 900
>> acl session external session
>> http_access deny !session
>> deny_info http://example.com session
>
> Does anyone know the problem? Am I doing something wrong?
>
> Tal

Splash page is only at the beginning of a browsing "session". If their
requests are less then 900 seconds apart the existing session is
extended another 900 seconds from that time.

  * you are making a session based on any HTTP request made by that IP
address, so *all* software operating on the client machine can trigger
an HTTP request which extends the session or creates a new one.

  * it is common to have multiple software updaters active on the PC,
which use HTTP to fetch their updates. Some of those may be running
first and getting the splash page so the user never sees it.

  * it is common for browsers these days to do some form of CORS lookup
before starting a page fetch. If your splash page is what comes back to
that CORS request the naive security checks will fail and the website
they wanted will appear without anything showing up.

Any one of those, or none of them could be the problem.

Start with trying 3.1.19 on CentOS. Building it yourself from the
Ubuntu source package would be a good test to see if it is a change in
Squid over those 14 releases or something in the system.

Amos
Received on Tue Jul 10 2012 - 01:48:26 MDT

This archive was generated by hypermail 2.2.0 : Tue Jul 10 2012 - 12:00:02 MDT