[squid-users] question about : NOTICE: Authentication not applicable onintercepted requests. ( SOLVED )

Amos Jeffries squid3 at treenet.co.nz
Thu Feb 16 23:12:48 UTC 2017 

On 16/02/2017 3:38 a.m., L.P.H. van Belle wrote:
> If this one arived in the list. 
> 
>  
> 
> This is solved, the wpad.dat was guiding my to the other proxy while my gateway was set to me new proxy. 
> 
> This happend at the policy refresh and did not notice it. 
> 
> Sorry for the noice. 
> 
>  
> 
> But if you see anything that incorrect, or can have a better setup, please let me know. 
> 
> I always like improvements. 
> 

"no_cache" is an alias of "cache". So you can remove the "no_cache" line
from your config entirely.

>  
> 
> Thanks
> 
>  
> 
> Louis
> 
>  
> 
>  
> 
> 
> Van: L.P.H. van Belle [mailto:belle at bazuin.nl] 
> Verzonden: woensdag 15 februari 2017 10:54
> Aan: 'squid-users at squid-cache.org'
> Onderwerp: question about : NOTICE: Authentication not applicable on intercepted requests. 
> 
> 
>  
> 
> Hai, 
> 
>  
> 
> In configuring my debian jessie with squid 3.5.24 ( with ssl enabled )  c-icap squidclamav and winbind 4.5.5 for kerberos keytab refresing. 
> 
>  
> 
> Now, im at the point of reducing my logs and i nocited : 
> 
> NOTICE: Authentication not applicable on intercepted requests. 
> 
> Messages in squid/cache.log 
> 
>  
> 
> I know this is some misconfiguration somewhere but im having a hardtime to finding/understanding it. 
> 
> Where and why, so is anyone can help me finding and understanding it, that would be very nice. 
> 
>  
> 
> I cant see my error and everything else is working fine, execept i havent tested the kerberos group acl yet. 
> 
> So i didnt set that http_access yet. 
> 
>  
> 
> Im having the following firewall rules 
> 
>  
> 
> # Not authenticated web traffice, redirected to squid in intercept mode.
> 
> -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.0.2:3128
> 
> -A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination 192.168.0.2:3129
> 
> Port 8080 is also open. 
> 
>  
> 
> Web traffic for pc’s which are domain joint have set the proxy by GPO to hostname.domain.tld port 8080 
> 
> Web traffic for other devices dont need to authenticate. 
> 
> WPAD and DNS wpad is also set. 
> 
>  
> 
> Below is mostly from the updated wiki pages. 
> 
> A big thank you to Amos Victor and others who changed the pages, looks good.
> 
> I have some small changed for a pure debian based setup with samba4 as addc and winbind for the squid member server. 
> 
>  
> 
>  
> 
> This is my squid config. 
> 
> # Created from a running squid version : 3.5.24
> 
> # Running os : Debian GNU/Linux 8 (jessie)
> 
> # Creation date: 2017-02-15
> 
>  
> 
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy2.internal.domain.tld at INTERNAL.DOMAIN.TLD --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
> 
> auth_param negotiate children 10 startup=5 idle=5
> 
> auth_param negotiate keep_alive on
> 
> external_acl_type memberof ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid3/ext_kerberos_ldap_group_acl -d -i -m 4 -g internet-allowed at INTERNAL.DOMAIN.TLD -N NTDOM at INTERNAL.DOMAIN.TLD -S dc1.internal.domain.tld at INTERNAL.DOMAIN.TLD -D INTERNAL.DOMAIN.TLD
> 
> acl authenticated proxy_auth REQUIRED
> 
>  
> 
> acl certificates rep_mime_type -i ^application/pkix-crl$
> 
>  
> 
> acl windows-updates dstdomain "/etc/squid/lists/updates-windows"
> 
> acl antivirus-updates dstdomain "/etc/squid/lists/updates-antivirus"
> 
> acl localnet src fc00::/7       # RFC 4193 local private network range
> 
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
> 
> acl localnet src 192.168.249.0/24    # Company-1
> 
> acl localnet src 10.249.2.0/24       # Company-2
> 
> acl localnet src 10.249.3.0/24       # Company-3
> 
> acl localnet src 10.249.4.0/24       # Company-4
> 
> acl localnet src 10.249.5.0/24       # Company-5
> 

Small optimization here. You can configure the 10/8 lines as:

  acl localnet 10.29.2.0-10.249.5.0/24

That reduces 3 IP comparisions per request.


>  
> 
> acl SSL_ports port 443          # https
> 
> acl SSL_ports port 3952         # CIC client
> 
> acl SSL_ports port 10443        # https Cisco 5506x
> 
> acl Safe_ports port 80          # http
> 
> acl Safe_ports port 21          # ftp
> 
> acl Safe_ports port 443         # https
> 
> acl Safe_ports port 70          # gopher
> 
> acl Safe_ports port 210         # wais
> 
> acl Safe_ports port 1025-65535  # unregistered ports
> 
> acl Safe_ports port 280         # http-mgmt
> 
> acl Safe_ports port 488         # gss-http
> 
> acl Safe_ports port 591         # filemaker
> 
> acl Safe_ports port 777         # multiling http
> 
> acl Safe_ports port 3952        # CIC client
> 
> acl Safe_ports port 10443       # https Cisco 5506x

Port numbers over 1024 are already included in the "unregistered ports"
entry. You can simplify by removing these last two lines of Safe_ports.

> 
> acl CONNECT method CONNECT
> 
>  
> 
> ## Added : Advertising Server Block List merge from YoYo.org and Host-file.net
> 
> acl block-asbl dstdomain "/etc/squid/lists/block-asbl-merged-dstdomain"
> 
> http_access deny block-asbl
> 
>  
> 
> acl google_recaptcha urlpath_regex ^\/recaptcha\/api.js
> 
> http_access allow google_recaptcha
> 
>  
> 
> acl NO-CACHE-SITES url_regex "/etc/squid/lists/no-cache-sites"
> 
> no_cache deny NO-CACHE-SITES
> 
> always_direct allow NO-CACHE-SITES
> 
> cache deny NO-CACHE-SITES
> 

always_direct is only relevant when you are using a cache_peer. Which
you are not. So that can be removed.

"no_cache" is an old alias for "cache". So you can remove the "no_cache"
line entirely as well.

>  
> 
> # 
> 
> http_access deny !Safe_ports
> 
> http_access deny CONNECT !SSL_ports
> 
> http_access allow localhost manager
> 
> http_access deny manager
> 
> http_access deny to_localhost
> 
>  
> 
> ## allow before auth so all pc's get the needed updates
> 
> http_access allow windows-updates
> 
> http_access allow antivirus-updates
> 
>  
> 
> http_access allow authenticated
> 
> http_access allow localnet
> 
> http_access allow localhost
> 
> http_access deny all
> 
>  
> 
> http_port 192.168.249.222:3128 intercept connection-auth=off
> 
> https_port 192.168.249.222:3129 intercept connection-auth=off ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem
> 
>  
> 
> http_port 192.168.249.222:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem
> 
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB
> 
> acl step1 at_step SslBump1
> 
> ssl_bump peek step1
> 
> ssl_bump bump all
> 
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
> 
> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
> 
> cache_mem 4096 MB
> 
> coredump_dir /var/spool/squid
> 
> ftp_user anonymousftp at domain.tld
> 
>  
> 
> # 
> 
> refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
> 
> refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
> 
> refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
> 
> refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
> 
> refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
> 

Squid can run through testing each refresh_pattern line against objects
at several different times where processing is performance-critical.

So you can gain some speed by;
 a) manually merging the regex patterns where all the other parameters
are identical, and
 b) sorting the refresh_pattern lines by most frequently used.


>  
> 
> ## todo, make this list more complete, see icap excludes
> 
> refresh_pattern -i \.symantecliveupdate\.com\/.*\.(zip|7z|irn|[m|x][0-9][0-9])          4320    100%    43200   reload-into-ims
> 
> refresh_pattern -i .*dnl.*\.geo\.kaspersky\.(com|ru)\/.*\.(zip|avc|kdc|nhg|klz|d[at|if])        4320    100%    43200   reload-into-ims
> 
> refresh_pattern -i \.kaspersky-labs\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p])        4320    100%    43200   reload-into-ims
> 
> refresh_pattern -i \.kaspersky\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]|avc) 4320    100%    43200   reload-into-ims
> 
> refresh_pattern -i .update\.geo\.drweb\.com     4320    100%    43200   reload-into-ims
> 
> refresh_pattern -i \.avast.com\/.*\.(vp[u|aa])          4320    100%    43200   reload-into-ims
> 
> refresh_pattern -i \.avg.com\/.*\.(bin)         4320    100%    43200   reload-into-ims
> 
>  
> 
> ## todo, add .deb files caching
> 
> refresh_pattern ^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$   0       0%      0
> 
> refresh_pattern ^(ht|f)tp://.*debian.*/Release(\.gpg)?$                 0       0%      0
> 
> refresh_pattern ^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$    0       0%      0
> 
> refresh_pattern ^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$         0       0%      0
> 

Er. The min/max of 0 sets them to already expired _unless_
Cache-Controls exist and say otherwise. So if these lines do anything at
all it is prevent caching of those objects.

Squid-3.5 should be handling the .deb and related things properly
nowdays, so you can probably remove those lines.

>  
> 
> ## The defaults as last.
> 
> refresh_pattern -i \.(zip|[g|b]z2?|exe|ms[i|p]|cvd|cdiff|mar)$  43200   100%    129600  reload-into-ims
> 
> refresh_pattern ^ftp:           1440    20%     10080
> 
> refresh_pattern ^gopher:        1440    0%      1440
> 
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> 
> refresh_pattern .               0       20%     4320
> 
> cache_mgr changed2protectme at somedomain.tld
> 
> mail_from proxy2 at internal.domain.tld
> 
> visible_hostname proxy2.internal.domain.tld
> 
> hostname_aliases proxy2.internal.domain.tld
> 
>  
> 
> httpd_suppress_version_string on
> 
>  
> 
> icap_enable on
> 
> icap_send_client_ip on
> 
> icap_send_client_username on
> 
> icap_client_username_header X-Authenticated-User
> 
> icap_persistent_connections on
> 
> icap_preview_enable on
> 
> icap_preview_size 1024
> 
> icap_service service_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
> 
> adaptation_access service_req allow all
> 
> icap_service service_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
> 
> adaptation_access service_resp allow all
> 
>  
> 
> dns_v4_first on
> 
> maximum_object_size 4096 KB
> 
> minimum_object_size 0 KB
> 
> maximum_object_size_in_memory 64 KB
> 
> cache_mem 256 MB
> 
> quick_abort_min -1 KB
> 
> fqdncache_size 4096
> 
> cache_swap_low 90
> 
> cache_swap_high 95

Things which are set to their default values can be removed from squid.conf.


Amos

More information about the squid-users mailing list