[squid-users] Authentication not applicable on intercepted requests
Amos Jeffries
squid3 at treenet.co.nz
Fri Oct 27 13:50:12 UTC 2017
On 27/10/17 20:22, Vieri wrote:
> Hi,
>
> I have:
>
> debug_options rotate=1 ALL,1
>
> and I'm getting lots of these messages in cache.log:
>
> NOTICE: Authentication not applicable on intercepted requests.
>
> I have a mixed tproxy/sslbump + auth (via /usr/libexec/squid/negotiate_kerberos_auth) config. I know authentication can't be done on intercepted requests.
> I'd like to know how to fix my squid conf file in order to avoid logging this message.
>
> The relevant parts of my squid.conf should be:
>
> external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K
>
> auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/myserver.mydomain.org at MYDOMAIN.ORG
> auth_param negotiate children 60
> auth_param negotiate keep_alive on
>
> auth_param basic realm My REALM proxy
>
You do not seem to be using Basic auth. Setting the realm for an unused
auth mechanism is pointless.
> acl localnet src 10.0.0.0/8
> acl localnet src 192.168.0.0/16
>
> acl ORG_all proxy_auth REQUIRED
>
> acl explicit myportname 3128
> acl intercepted myportname 3129
> acl interceptedssl myportname 3130
>
> [...]
> acl allowed_groups external nt_group "/opt/proxy-settings/allowed.groups"
> [...]
> acl restricted_groups external nt_group "/opt/proxy-settings/restricted.groups"
>
> [...]
> http_access deny SSL_ports ORG_all
> http_access deny explicit !ORG_all
> #http_access deny intercepted ORG_all
> #http_access deny interceptedssl ORG_all
> http_access deny intercepted !localnet
> http_access deny interceptedssl !localnet
>
Try:
http_access deny explicit !ORG_all
http_access deny explicit SSL_ports
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet
Amos
More information about the squid-users
mailing list