[squid-users] Ipv6 error

info at schroeffu.ch info at schroeffu.ch
Thu Nov 8 08:32:36 UTC 2018


Hello and thanks for your explanation.
What kind of ACL would then match "all squid internal requests" to allow without authentification?

> For most modern Squids, this http_access policy is, IMO, incorrect
> because it blocks internally-generated requests, such as requests for
> missing intermediate certificates. Please adjust your configuration to
> allow those requests (if you want them to be allowed).

I found another Site missing the Intermediate in their cabundle, the same issue:

1541663927.195 0 - TCP_DENIED/407 3752 GET
http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt - HIER_NONE/-
text/html;charset=utf-8
1541663927.195 52 172.16.5.15 NONE/200 0 CONNECT gtacknowledge.extremenetworks.com:443 xxxx
HIER_DIRECT/136.146.11.219 -
1541663927.210 0 172.16.5.15 NONE/503 5471 GET
https://gtacknowledge.extremenetworks.com/favicon.ico xxxx HIER_NONE/- text/html

Just comment out the following line does resolve the problem

acl Authenticated_Users proxy_auth REQUIRED
#http_access deny !Authenticated_Users all

but I still need the requirement that users have to auth themselv (but exclude squid-internal requests). So, what kind of ACL does catch squid internal requests to !whitelist_squid_internal_requests then? for example:

acl Authenticated_Users proxy_auth REQUIRED
acl whitelist_squid_internal_requests ????
http_access deny !Authenticated_Users !whitelist_squid_internal_requests all


More information about the squid-users mailing list