[squid-users] NOTICE: Authentication not applicable on intercepted requests.
Alex Rousskov
rousskov at measurement-factory.com
Fri Jul 1 05:45:05 UTC 2016
On 06/30/2016 01:19 PM, Eugene M. Zheganin wrote:
> On 30.06.2016 17:04, Amos Jeffries wrote:
>> Use a myportname ACL to prevent Squid attempting impossible things like
>> authentication on intercepted traffic.
> Sorry, but I still didn't get the idea. I have one port that squid is
> configured to intercept traffic on, and another for plain proxy
> requests.
That is OK/normal, of course.
> How do I tell squid not to authenticate anyone on the intercept one?
By making your authentication rules port-specific. Squid does not
authenticate by default so you are explicitly telling it to authenticate
[some] users. You need to adjust those rules to exclude intercepted
transactions.
> From what I know, squid will send the authentication
> sequence as soon as it encounters the authentication-related ACL in the
> ACL list for the request given. Do have to add myportname ACL with
> non-intercepting port for all the occurences of the auth-enabled ACLs,
> or may be there's a simplier way ?
I do not think there is. We could, in theory, [add an option to] ignore
authentication-related ACLs when dealing with intercepted transactions,
but I am not sure that doing so would actually solve more problems than
it will create.
Please note that, in many cases, your myportname ACLs can go at the very
beginning of the authentication-sensitive rules to exclude intercepted
transactions -- you may not have to prefix each auth-enabled ACL
individually (because none of them will be reached after early
myportname ACL guards).
HTH,
Alex.
More information about the squid-users
mailing list