[squid-users] Ipv6 error
info at schroeffu.ch
info at schroeffu.ch
Fri Nov 9 08:37:06 UTC 2018
> FYI: By placing that "all" ACL (or any other non-authentication ACL) at
> the end of your access line you are currently making Squid *not* fetch
> credentials from users.
>
> If the UA/Browser is so insecurely configured that it broadcasts user
> credentials out to the network without being asked for them your above
> config would _appear_ to work, but that insecurity is a different
> problem on its own.
>
> Amos
Oh ok I see, thanks, will change that of course
> transaction_initiator internal
>
> Alex.
Perfect, thats the acl i was looking for, I didn't know that it exists.
So I changed my configuration and finally it fetchs now the intermediate certifications before an authentication is requried:
#Allow fetch intermediate certs before required authentication
acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate
cache deny all
http_access allow fetched_certificate
#Authentification is REQUIRED
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users
It also does cache them, as described here:
http://lists.squid-cache.org/pipermail/squid-dev/2017-June/008800.html
Example Log:
1541752564.411 0 172.16.5.15 TCP_DENIED/407 4638 CONNECT bugs.squid-cache.org:443 - HIER_NONE/- text/html
1541752564.702 2 - TCP_MEM_HIT/200 1174 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- application/pkix-cert
1541752564.834 421 172.16.5.15 NONE/200 0 CONNECT bugs.squid-cache.org:443 xxxx HIER_DIRECT/104.130.201.120 -
1541752567.031 2180 172.16.5.15 TCP_MISS/200 3875 GET https://bugs.squid-cache.org/index.cgi xxxx HIER_DIRECT/104.130.201.120 text/html
More information about the squid-users
mailing list