[squid-users] Ipv6 error

info at schroeffu.ch info at schroeffu.ch
Fri Nov 9 08:37:06 UTC 2018


> FYI: By placing that "all" ACL (or any other non-authentication ACL) at
> the end of your access line you are currently making Squid *not* fetch
> credentials from users.
> 
> If the UA/Browser is so insecurely configured that it broadcasts user
> credentials out to the network without being asked for them your above
> config would _appear_ to work, but that insecurity is a different
> problem on its own.
> 
> Amos

Oh ok I see, thanks, will change that of course

> transaction_initiator internal
> 
> Alex.

Perfect, thats the acl i was looking for, I didn't know that it exists.
So I changed my configuration and finally it fetchs now the intermediate certifications before an authentication is requried:

#Allow fetch intermediate certs before required authentication
acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate
cache deny all
http_access allow fetched_certificate

#Authentification is REQUIRED
acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users

It also does cache them, as described here:
http://lists.squid-cache.org/pipermail/squid-dev/2017-June/008800.html

Example Log:

1541752564.411      0 172.16.5.15 TCP_DENIED/407 4638 CONNECT bugs.squid-cache.org:443 - HIER_NONE/- text/html
1541752564.702      2 - TCP_MEM_HIT/200 1174 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- application/pkix-cert
1541752564.834    421 172.16.5.15 NONE/200 0 CONNECT bugs.squid-cache.org:443 xxxx HIER_DIRECT/104.130.201.120 -
1541752567.031   2180 172.16.5.15 TCP_MISS/200 3875 GET https://bugs.squid-cache.org/index.cgi xxxx HIER_DIRECT/104.130.201.120 text/html


More information about the squid-users mailing list