[squid-users] Ipv6 error

Amos Jeffries squid3 at treenet.co.nz
Thu Nov 8 23:42:05 UTC 2018


On 8/11/18 9:32 PM, info at schroeffu.ch wrote:
> Hello and thanks for your explanation.
> What kind of ACL would then match "all squid internal requests" to allow without authentification?
> 
>> For most modern Squids, this http_access policy is, IMO, incorrect
>> because it blocks internally-generated requests, such as requests for
>> missing intermediate certificates. Please adjust your configuration to
>> allow those requests (if you want them to be allowed).
> 
> I found another Site missing the Intermediate in their cabundle, the same issue:
> 
> 1541663927.195 0 - TCP_DENIED/407 3752 GET
> http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt - HIER_NONE/-
> text/html;charset=utf-8
> 1541663927.195 52 172.16.5.15 NONE/200 0 CONNECT gtacknowledge.extremenetworks.com:443 xxxx
> HIER_DIRECT/136.146.11.219 -
> 1541663927.210 0 172.16.5.15 NONE/503 5471 GET
> https://gtacknowledge.extremenetworks.com/favicon.ico xxxx HIER_NONE/- text/html
> 
> Just comment out the following line does resolve the problem
> 
> acl Authenticated_Users proxy_auth REQUIRED
> #http_access deny !Authenticated_Users all
> 
> but I still need the requirement that users have to auth themselv 

FYI: By placing that "all" ACL (or any other non-authentication ACL) at
the end of your access line you are currently making Squid *not* fetch
credentials from users.

If the UA/Browser is so insecurely configured that it broadcasts user
credentials out to the network without being asked for them your above
config would _appear_ to work, but that insecurity is a different
problem on its own.

Amos


More information about the squid-users mailing list