Squid & squid_session

Hi All,

Hopefully someone can help !

I am using squid Version 3.0.STABLE20 with squid_session. Squid_session
config in squid.conf is as follows:

external_acl_type session ttl=300 negative_ttl=0 children=1
concurrency=200 %SRC /usr/local/squid/libexec/squid_session -t 360
acl session external session
http_access deny !session
deny_info http://some.url.com session

I have some remote sites all using this squid server as a transparent
proxy i.e. no config on the end users pc !

Now, the remote sites are all free wifi sites, so the wireless router
has a routable static IP and then clients are assigned a 10.0.0.x
private IP behind the wireless router. When the first user of the day
connects to the free wifi service they a presented with the webpage as
specified in deny_info however the second user to connect is allowed
straight onto the internet! The page is only displayed again if the
connection has not been used by anyone for 5+ mins however 6 people may
all connect at the same time and only one of them will see the splash
page!

My question is, without using routed static IP's at each site, is it
possible to have squid detect the different end users at each site ?

Any help is greatly appreciated.

Thanks in advance

Adam

mån 2009-11-02 klockan 16:07 +0000 skrev Adam Binks:

> My question is, without using routed static IP's at each site, is it
> possible to have squid detect the different end users at each site ?

Only if you figure out some other means of differentiating the users at
the TCP/IP level. I don't.

Regards
Henrik

Henrik Nordstrom wrote:
> mån 2009-11-02 klockan 16:07 +0000 skrev Adam Binks:
>
>> My question is, without using routed static IP's at each site, is it
>> possible to have squid detect the different end users at each site ?
>
> Only if you figure out some other means of differentiating the users at
> the TCP/IP level. I don't.
>

I had to get around this in the Treehouse wireless POP sites by
carefully locating and purchasing only wireless devices that could
bridge or route packets between the clients machines and gateway Squid
box without involving NAT.

This has placed great limits on the suppliers we can purchase from, and
not exactly cheap pricing, but enables plug-n-play wireless captive
portals to be setup relatively easily.

... and before you ask. No I'm not able to give out any further config
info without a paid contract signing your sites up as Treehouse Networks
POP ;)
/shameless plug.

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.14

Henrik Hi,

Thanks for your reply.

>>external_acl_type session ttl=0 negative_ttl=0 children=10 concurrency=200 %SRC /usr/local/squid/libexec/squid_session -t 30

I assume the %SRC variable in the above string is what the session is based on.

Is there away to add some other uniqueness or variable to allow squid to differentiate between the real end users ?

Cheers
Adam

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik@...]
Sent: 03 November 2009 01:53
To: Adam Binks
Cc: squid-users@...
Subject: Re: [squid-users] Squid & squid_session

mån 2009-11-02 klockan 16:07 +0000 skrev Adam Binks:

> My question is, without using routed static IP's at each site, is it
> possible to have squid detect the different end users at each site ?

Only if you figure out some other means of differentiating the users at
the TCP/IP level. I don't.

Regards
Henrik

tis 2009-11-03 klockan 09:55 +0000 skrev Adam Binks:

> >>external_acl_type session ttl=0 negative_ttl=0 children=10 concurrency=200 %SRC /usr/local/squid/libexec/squid_session -t 30
>
> I assume the %SRC variable in the above string is what the session is based on.
>
> Is there away to add some other uniqueness or variable to allow squid to differentiate between the real end users ?

The problem is that the NAT removes the available per-user uniqueness,
making them all look the same to Squid.

So only if you could figure out what that uniqueness would be. Needs to
be something that uniquely identifies the user to Squid.

%SRC (client source IP) is used in the example for squid_session, as
this is easily identified as an unique identifier in non-NAT:ed client
station networks.

Regards
Henrik

Ok... so would it be possible to also pass the %SRCPORT variable to
squid_session  in addition to %SRC as this will probably be unique in
most cases ?

Thanks
Adam

-----Original Message-----
From: Henrik Nordstrom [mailto:henrik@...]
Sent: 03 November 2009 11:44
To: Adam Binks
Cc: squid-users@...
Subject: RE: [squid-users] Squid & squid_session

tis 2009-11-03 klockan 09:55 +0000 skrev Adam Binks:

> >>external_acl_type session ttl=0 negative_ttl=0 children=10
concurrency=200 %SRC /usr/local/squid/libexec/squid_session -t 30
>
> I assume the %SRC variable in the above string is what the session is
based on.
>
> Is there away to add some other uniqueness or variable to allow squid
to differentiate between the real end users ?

The problem is that the NAT removes the available per-user uniqueness,
making them all look the same to Squid.

So only if you could figure out what that uniqueness would be. Needs to
be something that uniquely identifies the user to Squid.

%SRC (client source IP) is used in the example for squid_session, as
this is easily identified as an unique identifier in non-NAT:ed client
station networks.

Regards
Henrik

tis 2009-11-03 klockan 13:12 +0000 skrev Adam Binks:
> Ok... so would it be possible to also pass the %SRCPORT variable to
> squid_session  in addition to %SRC as this will probably be unique in
> most cases ?

You could, but that would be almost unique per request, still not
identifying an user.

Regards
Henrik