[squid-users] squid_session: just first redirect works - trying to understand how it works

From: <casfre_at_gmail.com>
Date: Tue, 14 Apr 2009 18:35:24 -0300

HI,

I am trying to "debug" my configuration to get squid_session working.
I am following a recent thread about this issue, but couldn't solve my
problem yet. I read some old threads, but, if I didn't missed
something, my config is like expected.

I based my config lines in squid_session.8 man page.

My main question is: will a directive like "http_access deny
somehosts !session" work I explained here?

Explanation (squid-2.7.STABLE6):
============================

excerpt from squid.conf:
----------------------------------

external_acl_type session ttl=300 negative_ttl=0 children=1
concurrency=200 %LOGIN /usr/libexec/squid_session -t 3600 -b
/squidlogs/var/session.db
acl session external session
http_access deny somehosts !session
deny_info http://anotherhost/rules/?obs=001&url=%s session

Lines are in this order. There is a "proxy_auth REQUIRED" before
session ACLs. There is not any "allow" directive before "http_access
deny somehosts !session", just denies.

Each "deny" directive is associated with a "deny_info" directive.

The location "http://anotherhost/rules/?obs=001&url=%s session" just
shows a message (plain/html text) with a "click here" link (%s) and
shows the value of $obs.

"somehosts" refers to "acl somehosts src "/etc/squid/somehosts.txt",
where somehosts.txt has a line such as 192.168.1.0/24 .

Squid is asking for user/password. Everything is working as expected,
except for squid_session.

What I want/understood:
====================

-First time a user logs in (lets say is joebob) AND if it is coming
from "somehosts", squid starts a session and redirects to indicated
location (deny_info);

-While session does not times out ( 1 hour = 3600s ), user will not
get redirected. After the timeout period, user gets redirected again
IF it is coming from somehosts.

-If user joebob logs in from another hosts ( != somehosts ), a session
is started (or updated) BUT it will not get redirected. If the session
is not updated/created, in this situation, there is no problem, but it
is important that user does __not__ get redirected, even if the
session has timed out.

-If joebob keeps using internet, so, at each hour (3600s aprox) it
would be redirected again (sure, it keeps coming from somehosts). I
joebob stop using internet and come back later and session has timed
out and if it is coming from "somehosts", so, it gets redirected as I
described.

-As I am using "-b /squidlogs/var/session.db" I can
shutdown/rotate/reconfigure squid and sessions will remain.

-As I am using %LOGIN, my session keys are the login names (joebob,
for example).

What I observed:
==============

-User gets a first redirect, but didn't get other redirects after
that. I tested with joebob and, using the same source IP, I didn't get
redirected for the rest of the day, even if I close my browser an logs
in again or use another browser. I tested this coming from the same
src IP I got redirected once.

-I asked from other users to do the test, but they got just the first
redirect too.

-/squidlogs/var/session.db is populated when I use "-k reconfigure",
so it is working. Using some perl code from internet, I could read
session.db, but I just could read the first field (logins, such as
joebob). The second field appears like "#çäI", but users in this file
are the ones using "somehosts", so, I imagine that "... somehosts
!session" ACL is working.

That is it.

Please, help me to find what I missed (or misunderstood).

If someone can point me to man pages I missed, it would be great.

I tried to understand squid_session.c, but I cant "speak" C language. :-)

Thank you.

Best regards,

Cássio
Received on Tue Apr 14 2009 - 21:35:26 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 15 2009 - 12:00:02 MDT