Squid Web Cache wiki

Squid Web Cache documentation

πŸ”— Portal Splash Pages

πŸ”— Outline

Squid when acting as a web portal sometimes is required to present users with service-agreements, terms of access, advertising or other initial displays.

πŸ”— Browsing Sessions

This configuration redirects new visitors to an initial splash page then permits access for a configurable time before redisplaying it. Further visits during this period will extend their session. If the visitors disappears for longer than the session timeout any new request is redirected back to the splash page again and a new session started.

As of version 1.1 of the session helper, it is possible to use the β€œ-T” option instead of β€œ-t”. This gives a fixed timeout which will force the splash page to be displayed at regular intervals.

πŸ”— HTTP Status 511

Captive portal splash pages can confuse client software when it appears on intercepted traffic responses. The client software can confuse the splash page as a response from the intended origin server.

RFC 6585 defines an extension HTTP status code (511) passing the information back to the client software that the response is NOT from the origin and things may change in future (ie after any splash page login has been performed). Squid-3.2 and later can be configured to send this extension status code and a template splash page with the deny_info directive.

:information_source: Extension status codes cannot be sent by Squid older than 3.2 series. For older Squid you should use a redirect URL in the deny_info directive. |

πŸ”— Squid Configuration File - Simple Example

NOTE: in the examples below:

Squid-3.2 and later (session helper renamed and 511 status code with splash template):

# mind the wrap. this is one line:
external_acl_type splash_page ttl=60 concurrency=100 %SRC /usr/local/sbin/squid/ext_session_acl -t 7200 -b /var/lib/squid/session.db

acl existing_users external splash_page

deny_info 511:/etc/squid/splash.html existing_users

http_access deny !existing_users

πŸ”— Squid Configuration File - Active Mode

You may find that when using the example above that the splash page is not always displayed to users. That is because other processes on the user’s computer (such as automatic security updates) can reset the session counter, so it is that process rather than the user’s browsing which receives the splash screen.

The following configuration example adds in a url_regex rule to force the user to browse to a particular website before the session is reset. This example is for Squid-3.2 and later, but can be adapted for earlier versions.

# Set up the session helper in active mode. Mind the wrap - this is one line:
external_acl_type session concurrency=100 ttl=3 %SRC /usr/lib/squid3/ext_session_acl -a -T 10800 -b /var/lib/squid/session/

# Pass the LOGIN command to the session helper with this ACL
acl session_login external session LOGIN

# Normal session ACL as per simple example
acl session_is_active external session

# ACL to match URL
acl clicked_login_url url_regex -i a-url-that-must-match$

# First check for the login URL. If present, login session
http_access allow clicked_login_url session_login

# If we get here, URL not present, so renew session or deny request.
http_access deny !session_is_active

# Deny page to display
deny_info 511:/etc/squid/splash.html session_is_active

πŸ”— Configuration tweaks

:information_source: For more information please see ext_session_acl, external_acl_type, acl, deny_info, http_access

⚠️ Disclaimer: Any example presented here is provided "as-is" with no support
or guarantee of suitability. If you have any further questions about
these examples please email the squid-users mailing list.

Categories: ConfigExample

Navigation: Site Search, Site Pages, Categories, πŸ”Ό go up