Re: [squid-users] Strange problem with squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 03 Feb 2014 22:35:34 +1300

On 3/02/2014 10:00 p.m., P K wrote:
> Hi,
>
> I've got a mysterious problem with Squid as reverse proxy and I would
> be grateful if someone could help me out. Basically, I use an external
> acl to validate the session id when someone accesses my site that is
> reverse proxied.
>
> ..snip..
>
> external_acl_type ext_session_page ttl=180 negative_ttl=0 %SRC
> %>{Cookie:;MYSESSIONID} /usr/bin/php /path/to/myvalidator.php
> acl user_session external ext_session_page
> http_access deny !user_session
> deny_info https://logon.domain.com/logon.php?url=%u user_session
>
> ..snip..
>
> My logon page logon.php creates a new session id and stores a cookie.
> When a user has successfully logged on, I redirect to his chosen site.
> Squid then validates the cookie using my external acl (OK or ERR).
> This works fine 99.5% of the time.
>
> But sometimes squid gets confused and sends the older session id (one
> before the current session id in deny_page) to my external acl which
> is really weird. As a result, the external acl keeps returning ERR.
> Then it sorts itself out. Or a restart squid sorts it out. What could
> be causing this? Is this a bug with squid? I've also noticed that it
> seems to happen at night around 9 PM ish.
>
> The logic is simple:
>
> 1. User visits the reverse proxied site (config not shown).
> 2. Squid checks the external acl to see if the cookie is valid.
> 3. If OK it lets it go to the site.
> 4. If ERR, logon.php is presented which creates a new session id and
> stores a cookie.
> 5. User logs on
> 6. If successful, logon.php redirects to the reverse proxied site. (At
> this point, external acl will be checked i.e. step 2. External acl
> will reply OK as the cookie is valid.)
> 7. If failed, logon.php does not redirect i.e. stays on deny_page.
>

What is the output of squid -v please?

How are you fooling the browser into sending the same Cookie for all
requests no matter what domain is being fetched?

Squid sends the ACL helper the Cookie header sub-string starting with
"MYSESSIONID=" in the request it receives. I suspect the browser is
sending stale Cookies.

Amos
Received on Mon Feb 03 2014 - 09:35:40 MST

This archive was generated by hypermail 2.2.0 : Mon Feb 03 2014 - 12:00:04 MST