[squid-users] delay on session acceptance with AUP redirection

From: Johnson, S <sjohnson_at_edina.k12.mn.us>
Date: Thu, 1 Apr 2010 15:02:41 -0500

I've got one of my squid/dansguardian boxes configured for transparent proxy using an UAP to "authorize" the connection.  What happens is the AUP shows, the user clicks on the accept link (which is just a URL forward to where they were originally going) then it drops them right back into the AUP. A session was never being created for the user (or so I thought).

In the logs I can see the 302 denied show which causes the redirection:
01/Apr/2010,14:38:53,     0,192.168.80.245,TCP_DENIED/302,421,GET,http://www.yahoo.com/,-,NONE/-,text/html

This should be easy to troubleshoot, however in working on this issue I discovered that if I click on the "Accept AUP policy" link 3 or 4 times then it eventually gives me the green light and sets up a session for me.  Then browsing from there on out is ok.  I thought I had the problem resolved a few times but discovered that it wasn't after a few other people tried it out.

This is my squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl to_localbox dst 192.168.80.5/32
acl mywebserver dst 34.8.132.1/32              # this is my local web server

follow_x_forwarded_for allow localhost
acl_uses_indirect_client on
delay_pool_uses_indirect_client on
log_uses_indirect_client on

external_acl_type session ttl=300 children=20 negative_ttl=10  concurrency=200 %SRC /usr/lib/squid/squid_session -t 1800

acl session external session

acl localnet src 192.168.80.0/23 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#  TAG: http_access
http_access allow mywebserver
http_access allow to_localbox
deny_info http://192.168.80.5/index.php?url=%s session
http_access allow session
http_access deny !session
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
Received on Thu Apr 01 2010 - 20:02:43 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 02 2010 - 12:00:04 MDT