Re: [squid-users] Public access catalog in a library - eek!

From: Henrik Nordstrom <[email protected]>
Date: 19 Nov 2002 18:45:39 +0100

This defenitely smells like a broken web server keeping track of
sessions solely based on the source IP address of the user. For such
brokenness there is no help other than not using a proxy and each user
having a unique public IP address.

But it might also be a broken web server who do not properly mark
private content as such. For this kind of brokenness the no_cache
directive in squid.conf can be used to deny caching of the site.

Note: You cannot tell Squid to route directly. If you want your clients
to bypass Squid then you need to configure your clients to not use Squid
for the requested domain. Squid can only decide on how Squid will
forward (or deny) the request once it has reached Squid.

tis 2002-11-19 klockan 18.14 skrev Brett Charbeneau:
> Gang,
>
> Many thanks in advance to anyone who can find the time to respond
> to my quandry!
> I'm running the RPM version of squid-2.4.STABLE6-6.7.0
> and using squidGuard-1.1.4-11mdk as a redirect program on a RedHat 7.2
> box with kernel 2.2.20.
> We recently moved to a web version of out online catalog and we're
> experiencing a weird problem with patron user accounts. Our catalog is
> here, for the curious:
>
> http://catalog.wrl.org
>
> When a patron successfully logs into their account on one of our
> clients (routed through Squid) they can then walk over to any *other* of
> our clients and click on the "My Account" icon and see their account
> information. This is true across subnets and for any client using Squid as
> a proxy.
> This migrating login freaks staff and patrons out in this age of
> Big Brother.
> The catalog product, called iPac from "epixtech", is only in
> version 2.02 and purports to work with all "fully compliant HTTP 1.1
> proxies".
> Okay, fine.
> I've set up my Squid box - I think - to route all requestes
> destined for our catalog *directly* to the catalog server and we've still
> got this issue. I've included the non-commented part of my squid.conf file
> below.
> If someone could take a peek at this and tell me if I'm goobering
> the config so bad that Squid is still caching the cookie/token/whatever
> that marks a patron session, I sure would be grateful.
> Thank you very much for any help you can offer!
>
> Brett Charbeneau, Network Administrator Tel: 757-259-7750
> Williamsburg Regional Library FAX: 757-259-7798
> 7770 Croaker Road brett@wrl.org
> Williamsburg, VA 23188-7064 http://www.wrl.org
>
>
> cache_dir ufs /var/spool/squid 60000 16 256
> log_fqdn off
> redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl allowed_hosts src 192.168.7.0/255.255.255.128
> acl allowed_hosts src 192.168.7.128/255.255.255.128
> acl SSL_ports port 443 563
> acl Safe_ports port 80 21 443 563 70 210 1025-65535
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access allow allowed_hosts
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> icp_access allow all
> miss_access allow all
> append_domain .wrl.org
> forwarded_for on
> acl local-servers dstdomain .catalog.wrl.org
> no_cache deny local-servers
> always_direct allow local-servers
>
Received on Thu Nov 21 2002 - 09:27:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:21 MST