[squid-users] question about : NOTICE: Authentication not applicable onintercepted requests.
Eliezer Croitoru
eliezer at ngtech.co.il
Mon Feb 20 21:44:15 UTC 2017
Hey,
What you see is not a misconfiguration in the general meaning.
Squid and any other proxy cannot authenticate without some kind of special
tricks on an Intercept mode and port.
There are products which offers transparently to hijack the web traffic and
authenticate with the windows credentials to the proxy.
These agents uses some proxy but the interception does on the client side
while the connection to the proxy is similar to a regular one(non
intercept).
There are technical options to "mark" connections or requests in some levels
that will satisfy your needs but needs to be built or published but I have
yet to see one of these.
One solution which I have seen does something that is close to such a thing
is "proxifier" [ https://www.proxifier.com].
I have seen couple other Chinese developments which are doing something
similar but yet to sit on their code to say I understand what they do.
Take a peek at
https://www.raymond.cc/blog/route-all-internet-software-and-game-connection-
through-open-proxy-servers/
This is the next best option for transparently hijack connections:
https://github.com/ambrop72/badvpn
Hope it Helps,
Eliezer
----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
Behalf Of L.P.H. van Belle
Sent: Wednesday, February 15, 2017 11:54 AM
To: squid-users at squid-cache.org
Subject: [squid-users] question about : NOTICE: Authentication not
applicable onintercepted requests.
Hai,
In configuring my debian jessie with squid 3.5.24 ( with ssl enabled )
c-icap squidclamav and winbind 4.5.5 for kerberos keytab refresing.
Now, im at the point of reducing my logs and i nocited :
NOTICE: Authentication not applicable on intercepted requests.
Messages in squid/cache.log
I know this is some misconfiguration somewhere but im having a hardtime to
finding/understanding it.
Where and why, so is anyone can help me finding and understanding it, that
would be very nice.
I cant see my error and everything else is working fine, execept i havent
tested the kerberos group acl yet.
So i didnt set that http_access yet.
Im having the following firewall rules
# Not authenticated web traffice, redirected to squid in intercept mode.
-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination
192.168.0.2:3128
-A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination
192.168.0.2:3129
Port 8080 is also open.
Web traffic for pc’s which are domain joint have set the proxy by GPO to
hostname.domain.tld port 8080
Web traffic for other devices dont need to authenticate.
WPAD and DNS wpad is also set.
Below is mostly from the updated wiki pages.
A big thank you to Amos Victor and others who changed the pages, looks good.
I have some small changed for a pure debian based setup with samba4 as addc
and winbind for the squid member server.
This is my squid config.
# Created from a running squid version : 3.5.24
# Running os : Debian GNU/Linux 8 (jessie)
# Creation date: 2017-02-15
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s
mailto:HTTP/proxy2.internal.domain.tld at INTERNAL.DOMAIN.TLD --ntlm
/usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 10 startup=5 idle=5
auth_param negotiate keep_alive on
external_acl_type memberof ttl=3600 negative_ttl=3600 %LOGIN
/usr/lib/squid3/ext_kerberos_ldap_group_acl -d -i -m 4 -g
mailto:internet-allowed at INTERNAL.DOMAIN.TLD -N
mailto:NTDOM at INTERNAL.DOMAIN.TLD -S
mailto:dc1.internal.domain.tld at INTERNAL.DOMAIN.TLD -D INTERNAL.DOMAIN.TLD
acl authenticated proxy_auth REQUIRED
acl certificates rep_mime_type -i ^application/pkix-crl$
acl windows-updates dstdomain "/etc/squid/lists/updates-windows"
acl antivirus-updates dstdomain "/etc/squid/lists/updates-antivirus"
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines
acl localnet src 192.168.249.0/24 # Company-1
acl localnet src 10.249.2.0/24 # Company-2
acl localnet src 10.249.3.0/24 # Company-3
acl localnet src 10.249.4.0/24 # Company-4
acl localnet src 10.249.5.0/24 # Company-5
acl SSL_ports port 443 # https
acl SSL_ports port 3952 # CIC client
acl SSL_ports port 10443 # https Cisco 5506x
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 3952 # CIC client
acl Safe_ports port 10443 # https Cisco 5506x
acl CONNECT method CONNECT
## Added : Advertising Server Block List merge from YoYo.org and
Host-file.net
acl block-asbl dstdomain "/etc/squid/lists/block-asbl-merged-dstdomain"
http_access deny block-asbl
acl google_recaptcha urlpath_regex ^\/recaptcha\/api.js
http_access allow google_recaptcha
acl NO-CACHE-SITES url_regex "/etc/squid/lists/no-cache-sites"
no_cache deny NO-CACHE-SITES
always_direct allow NO-CACHE-SITES
cache deny NO-CACHE-SITES
#
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
## allow before auth so all pc's get the needed updates
http_access allow windows-updates
http_access allow antivirus-updates
http_access allow authenticated
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 192.168.249.222:3128 intercept connection-auth=off
https_port 192.168.249.222:3129 intercept connection-auth=off ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem
http_port 192.168.249.222:8080 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/local/CAcert.pem
options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
sslproxy_cipher
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:E
ECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL
:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
cache_mem 4096 MB
coredump_dir /var/spool/squid
ftp_user mailto:anonymousftp at domain.tld
#
refresh_pattern -i
windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200
80% 129600 reload-into-ims
refresh_pattern -i
microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80%
129600 reload-into-ims
refresh_pattern -i
windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80%
129600 reload-into-ims
refresh_pattern -i
microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf
) 43200 80% 129600 reload-into-ims
refresh_pattern -i
deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zi
p|psf) 43200 80% 129600 reload-into-ims
## todo, make this list more complete, see icap excludes
refresh_pattern -i
\.symantecliveupdate\.com\/.*\.(zip|7z|irn|[m|x][0-9][0-9]) 4320
100% 43200 reload-into-ims
refresh_pattern -i
.*dnl.*\.geo\.kaspersky\.(com|ru)\/.*\.(zip|avc|kdc|nhg|klz|d[at|if])
4320 100% 43200 reload-into-ims
refresh_pattern -i
\.kaspersky-labs\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]) 4320 100%
43200 reload-into-ims
refresh_pattern -i \.kaspersky\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]|avc)
4320 100% 43200 reload-into-ims
refresh_pattern -i .update\.geo\.drweb\.com 4320 100% 43200
reload-into-ims
refresh_pattern -i \.avast.com\/.*\.(vp[u|aa]) 4320 100%
43200 reload-into-ims
refresh_pattern -i \.avg.com\/.*\.(bin) 4320 100% 43200
reload-into-ims
## todo, add .deb files caching
refresh_pattern ^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$
0 0% 0
refresh_pattern ^(ht|f)tp://.*debian.*/Release(\.gpg)?$
0 0% 0
refresh_pattern ^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$
0 0% 0
refresh_pattern ^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$
0 0% 0
## The defaults as last.
refresh_pattern -i \.(zip|[g|b]z2?|exe|ms[i|p]|cvd|cdiff|mar)$ 43200
100% 129600 reload-into-ims
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mgr mailto:changed2protectme at somedomain.tld
mail_from mailto:proxy2 at internal.domain.tld
visible_hostname proxy2.internal.domain.tld
hostname_aliases proxy2.internal.domain.tld
httpd_suppress_version_string on
icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_persistent_connections on
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache icap://127.0.0.1:1344/squidclamav
bypass=off
adaptation_access service_req allow all
icap_service service_resp respmod_precache icap://127.0.0.1:1344/squidclamav
bypass=off
adaptation_access service_resp allow all
dns_v4_first on
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 64 KB
cache_mem 256 MB
quick_abort_min -1 KB
fqdncache_size 4096
cache_swap_low 90
cache_swap_high 95
More information about the squid-users
mailing list