[squid-users] Authentication not applicable on intercepted requests

Vieri rentorbuy at yahoo.com
Fri Oct 27 07:22:12 UTC 2017


Hi,

I have:

debug_options rotate=1 ALL,1

and I'm getting lots of these messages in cache.log:

NOTICE: Authentication not applicable on intercepted requests.

I have a mixed tproxy/sslbump + auth (via /usr/libexec/squid/negotiate_kerberos_auth) config. I know authentication can't be done on intercepted requests.
I'd like to know how to fix my squid conf file in order to avoid logging this message.

The relevant parts of my squid.conf should be:

external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K

auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/myserver.mydomain.org at MYDOMAIN.ORG
auth_param negotiate children 60
auth_param negotiate keep_alive on

auth_param basic realm My REALM proxy

acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16

acl ORG_all proxy_auth REQUIRED

acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130

[...]
acl allowed_groups external nt_group "/opt/proxy-settings/allowed.groups"
[...]
acl restricted_groups external nt_group "/opt/proxy-settings/restricted.groups"

[...]
http_access deny SSL_ports ORG_all
http_access deny explicit !ORG_all
#http_access deny intercepted ORG_all
#http_access deny interceptedssl ORG_all
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet

[...]
debug_options rotate=1 ALL,1
[...]
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10

reply_header_access Alternate-Protocol deny all
ssl_bump stare all
ssl_bump bump all
[...]

Thanks,

Vieri


More information about the squid-users mailing list