Authentication not applicable on intercepted requests

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Authentication not applicable on intercepted requests

Vieri
Hi,

I have:

debug_options rotate=1 ALL,1

and I'm getting lots of these messages in cache.log:

NOTICE: Authentication not applicable on intercepted requests.

I have a mixed tproxy/sslbump + auth (via /usr/libexec/squid/negotiate_kerberos_auth) config. I know authentication can't be done on intercepted requests.
I'd like to know how to fix my squid conf file in order to avoid logging this message.

The relevant parts of my squid.conf should be:

external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K

auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/[hidden email]
auth_param negotiate children 60
auth_param negotiate keep_alive on

auth_param basic realm My REALM proxy

acl localnet src 10.0.0.0/8
acl localnet src 192.168.0.0/16

acl ORG_all proxy_auth REQUIRED

acl explicit myportname 3128
acl intercepted myportname 3129
acl interceptedssl myportname 3130

[...]
acl allowed_groups external nt_group "/opt/proxy-settings/allowed.groups"
[...]
acl restricted_groups external nt_group "/opt/proxy-settings/restricted.groups"

[...]
http_access deny SSL_ports ORG_all
http_access deny explicit !ORG_all
#http_access deny intercepted ORG_all
#http_access deny interceptedssl ORG_all
http_access deny intercepted !localnet
http_access deny interceptedssl !localnet

[...]
debug_options rotate=1 ALL,1
[...]
http_port 3128
http_port 3129 tproxy
https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem
sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB
sslcrtd_children 40 startup=20 idle=10

reply_header_access Alternate-Protocol deny all
ssl_bump stare all
ssl_bump bump all
[...]

Thanks,

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Authentication not applicable on intercepted requests

Amos Jeffries
Administrator
On 27/10/17 20:22, Vieri wrote:

> Hi,
>
> I have:
>
> debug_options rotate=1 ALL,1
>
> and I'm getting lots of these messages in cache.log:
>
> NOTICE: Authentication not applicable on intercepted requests.
>
> I have a mixed tproxy/sslbump + auth (via /usr/libexec/squid/negotiate_kerberos_auth) config. I know authentication can't be done on intercepted requests.
> I'd like to know how to fix my squid conf file in order to avoid logging this message.
>
> The relevant parts of my squid.conf should be:
>
> external_acl_type nt_group ttl=0 children-max=50 %LOGIN /usr/libexec/squid/ext_wbinfo_group_acl -K
>
> auth_param negotiate program /usr/libexec/squid/negotiate_kerberos_auth -s HTTP/[hidden email]
> auth_param negotiate children 60
> auth_param negotiate keep_alive on
>
> auth_param basic realm My REALM proxy
>

You do not seem to be using Basic auth. Setting the realm for an unused
auth mechanism is pointless.

> acl localnet src 10.0.0.0/8
> acl localnet src 192.168.0.0/16
>
> acl ORG_all proxy_auth REQUIRED
>
> acl explicit myportname 3128
> acl intercepted myportname 3129
> acl interceptedssl myportname 3130
>
> [...]
> acl allowed_groups external nt_group "/opt/proxy-settings/allowed.groups"
> [...]
> acl restricted_groups external nt_group "/opt/proxy-settings/restricted.groups"
>
> [...]
> http_access deny SSL_ports ORG_all
> http_access deny explicit !ORG_all
> #http_access deny intercepted ORG_all
> #http_access deny interceptedssl ORG_all
> http_access deny intercepted !localnet
> http_access deny interceptedssl !localnet
>

Try:
   http_access deny explicit !ORG_all
   http_access deny explicit SSL_ports
   http_access deny intercepted !localnet
   http_access deny interceptedssl !localnet


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Authentication not applicable on intercepted requests

Vieri
________________________________
From: Amos Jeffries <[hidden email]>
>
> You do not seem to be using Basic auth. Setting the realm for an unused auth mechanism is pointless.
>
> Try:
>   http_access deny explicit !ORG_all
>   http_access deny explicit SSL_ports
>   http_access deny intercepted !localnet
>   http_access deny interceptedssl !localnet


Works great.

Thanks!

Vieri
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users