Re: [squid-users] Public access catalog in a library - eek!

From: Brett Charbeneau <[email protected]>
Date: Wed, 20 Nov 2002 10:53:14 -0500 (EST)

        Thanks for the reply, Henrik!

On 19 Nov 2002, Henrik Nordstrom wrote:

> This defenitely smells like a broken web server keeping track of
> sessions solely based on the source IP address of the user. For such
> brokenness there is no help other than not using a proxy and each user
> having a unique public IP address.

        I thought this too, so I brought one of my clients out from behind
a NAT'd firewall and the problem persisted.

> But it might also be a broken web server who do not properly mark
> private content as such. For this kind of brokenness the no_cache
> directive in squid.conf can be used to deny caching of the site.

        Distinct possibility there.

> Note: You cannot tell Squid to route directly. If you want your clients
> to bypass Squid then you need to configure your clients to not use Squid
> for the requested domain. Squid can only decide on how Squid will
> forward (or deny) the request once it has reached Squid.

        Right: I ended up using "Personal Web Browser" on my clients - a
sort of front end for Internet Explorer:

                http://teamsoftware.bizland.com/

        This allowed me to make the required "ProxyOverride" key change in

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings

and

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet
Settings

        via the Personal Web Browser .ini file - which I have located on a
SAMBA server. =8^)
        I highly recommend this browser/front end for anyone who needs to
control lots of client settings from one location!

Brett Charbeneau, Network Administrator Tel: 757-259-7750
Williamsburg Regional Library FAX: 757-259-7798
7770 Croaker Road brett@wrl.org
Williamsburg, VA 23188-7064 http://www.wrl.org

> tis 2002-11-19 klockan 18.14 skrev Brett Charbeneau:
> > Gang,
> >
> > Many thanks in advance to anyone who can find the time to respond
> > to my quandry!
> > I'm running the RPM version of squid-2.4.STABLE6-6.7.0
> > and using squidGuard-1.1.4-11mdk as a redirect program on a RedHat 7.2
> > box with kernel 2.2.20.
> > We recently moved to a web version of out online catalog and we're
> > experiencing a weird problem with patron user accounts. Our catalog is
> > here, for the curious:
> >
> > http://catalog.wrl.org
> >
> > When a patron successfully logs into their account on one of our
> > clients (routed through Squid) they can then walk over to any *other* of
> > our clients and click on the "My Account" icon and see their account
> > information. This is true across subnets and for any client using Squid as
> > a proxy.
> > This migrating login freaks staff and patrons out in this age of
> > Big Brother.
> > The catalog product, called iPac from "epixtech", is only in
> > version 2.02 and purports to work with all "fully compliant HTTP 1.1
> > proxies".
> > Okay, fine.
> > I've set up my Squid box - I think - to route all requestes
> > destined for our catalog *directly* to the catalog server and we've still
> > got this issue. I've included the non-commented part of my squid.conf file
> > below.
> > If someone could take a peek at this and tell me if I'm goobering
> > the config so bad that Squid is still caching the cookie/token/whatever
> > that marks a patron session, I sure would be grateful.
> > Thank you very much for any help you can offer!
> >
> > Brett Charbeneau, Network Administrator Tel: 757-259-7750
> > Williamsburg Regional Library FAX: 757-259-7798
> > 7770 Croaker Road brett@wrl.org
> > Williamsburg, VA 23188-7064 http://www.wrl.org
> >
> >
> > cache_dir ufs /var/spool/squid 60000 16 256
> > log_fqdn off
> > redirect_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
> > refresh_pattern ^ftp: 1440 20% 10080
> > refresh_pattern ^gopher: 1440 0% 1440
> > refresh_pattern . 0 20% 4320
> > acl all src 0.0.0.0/0.0.0.0
> > acl manager proto cache_object
> > acl localhost src 127.0.0.1/255.255.255.255
> > acl allowed_hosts src 192.168.7.0/255.255.255.128
> > acl allowed_hosts src 192.168.7.128/255.255.255.128
> > acl SSL_ports port 443 563
> > acl Safe_ports port 80 21 443 563 70 210 1025-65535
> > acl CONNECT method CONNECT
> > http_access allow manager localhost
> > http_access allow allowed_hosts
> > http_access deny manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow localhost
> > http_access deny all
> > icp_access allow all
> > miss_access allow all
> > append_domain .wrl.org
> > forwarded_for on
> > acl local-servers dstdomain .catalog.wrl.org
> > no_cache deny local-servers
> > always_direct allow local-servers
> >
>
>
Received on Thu Nov 21 2002 - 09:53:16 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:28 MST