Re: question about : NOTICE: Authentication not applicable onintercepted requests. ( SOLVED )

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: question about : NOTICE: Authentication not applicable onintercepted requests. ( SOLVED )

L.P.H. van Belle

If this one arived in the list.

 

This is solved, the wpad.dat was guiding my to the other proxy while my gateway was set to me new proxy.

This happend at the policy refresh and did not notice it.

Sorry for the noice.

 

But if you see anything that incorrect, or can have a better setup, please let me know.

I always like improvements.

 

Thanks

 

Louis

 

 


Van: L.P.H. van Belle [mailto:[hidden email]]
Verzonden: woensdag 15 februari 2017 10:54
Aan: '[hidden email]'
Onderwerp: question about : NOTICE: Authentication not applicable on intercepted requests.

 

Hai,

 

In configuring my debian jessie with squid 3.5.24 ( with ssl enabled )  c-icap squidclamav and winbind 4.5.5 for kerberos keytab refresing.

 

Now, im at the point of reducing my logs and i nocited :

NOTICE: Authentication not applicable on intercepted requests.

Messages in squid/cache.log

 

I know this is some misconfiguration somewhere but im having a hardtime to finding/understanding it.

Where and why, so is anyone can help me finding and understanding it, that would be very nice.

 

I cant see my error and everything else is working fine, execept i havent tested the kerberos group acl yet.

So i didnt set that http_access yet.

 

Im having the following firewall rules

 

# Not authenticated web traffice, redirected to squid in intercept mode.

-A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.0.2:3128

-A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination 192.168.0.2:3129

Port 8080 is also open.

 

Web traffic for pc’s which are domain joint have set the proxy by GPO to hostname.domain.tld port 8080

Web traffic for other devices dont need to authenticate.

WPAD and DNS wpad is also set.

 

Below is mostly from the updated wiki pages.

A big thank you to Amos Victor and others who changed the pages, looks good.

I have some small changed for a pure debian based setup with samba4 as addc and winbind for the squid member server.

 

 

This is my squid config.

# Created from a running squid version : 3.5.24

# Running os : Debian GNU/Linux 8 (jessie)

# Creation date: 2017-02-15

 

auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/[hidden email] --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

auth_param negotiate children 10 startup=5 idle=5

auth_param negotiate keep_alive on

external_acl_type memberof ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid3/ext_kerberos_ldap_group_acl -d -i -m 4 -g [hidden email] -N [hidden email] -S [hidden email] -D INTERNAL.DOMAIN.TLD

acl authenticated proxy_auth REQUIRED

 

acl certificates rep_mime_type -i ^application/pkix-crl$

 

acl windows-updates dstdomain "/etc/squid/lists/updates-windows"

acl antivirus-updates dstdomain "/etc/squid/lists/updates-antivirus"

acl localnet src fc00::/7       # RFC 4193 local private network range

acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl localnet src 192.168.249.0/24    # Company-1

acl localnet src 10.249.2.0/24       # Company-2

acl localnet src 10.249.3.0/24       # Company-3

acl localnet src 10.249.4.0/24       # Company-4

acl localnet src 10.249.5.0/24       # Company-5

 

acl SSL_ports port 443          # https

acl SSL_ports port 3952         # CIC client

acl SSL_ports port 10443        # https Cisco 5506x

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443         # https

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 3952        # CIC client

acl Safe_ports port 10443       # https Cisco 5506x

acl CONNECT method CONNECT

 

## Added : Advertising Server Block List merge from YoYo.org and Host-file.net

acl block-asbl dstdomain "/etc/squid/lists/block-asbl-merged-dstdomain"

http_access deny block-asbl

 

acl google_recaptcha urlpath_regex ^\/recaptcha\/api.js

http_access allow google_recaptcha

 

acl NO-CACHE-SITES url_regex "/etc/squid/lists/no-cache-sites"

no_cache deny NO-CACHE-SITES

always_direct allow NO-CACHE-SITES

cache deny NO-CACHE-SITES

 

#

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access deny to_localhost

 

## allow before auth so all pc's get the needed updates

http_access allow windows-updates

http_access allow antivirus-updates

 

http_access allow authenticated

http_access allow localnet

http_access allow localhost

http_access deny all

 

http_port 192.168.249.222:3128 intercept connection-auth=off

https_port 192.168.249.222:3129 intercept connection-auth=off ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem

 

http_port 192.168.249.222:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB

acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump bump all

sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE

sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

cache_mem 4096 MB

coredump_dir /var/spool/squid

ftp_user [hidden email]

 

#

refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims

refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims

refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims

refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims

refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims

 

## todo, make this list more complete, see icap excludes

refresh_pattern -i \.symantecliveupdate\.com\/.*\.(zip|7z|irn|[m|x][0-9][0-9])          4320    100%    43200   reload-into-ims

refresh_pattern -i .*dnl.*\.geo\.kaspersky\.(com|ru)\/.*\.(zip|avc|kdc|nhg|klz|d[at|if])        4320    100%    43200   reload-into-ims

refresh_pattern -i \.kaspersky-labs\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p])        4320    100%    43200   reload-into-ims

refresh_pattern -i \.kaspersky\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]|avc) 4320    100%    43200   reload-into-ims

refresh_pattern -i .update\.geo\.drweb\.com     4320    100%    43200   reload-into-ims

refresh_pattern -i \.avast.com\/.*\.(vp[u|aa])          4320    100%    43200   reload-into-ims

refresh_pattern -i \.avg.com\/.*\.(bin)         4320    100%    43200   reload-into-ims

 

## todo, add .deb files caching

refresh_pattern ^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$   0       0%      0

refresh_pattern ^(ht|f)tp://.*debian.*/Release(\.gpg)?$                 0       0%      0

refresh_pattern ^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$    0       0%      0

refresh_pattern ^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$         0       0%      0

 

## The defaults as last.

refresh_pattern -i \.(zip|[g|b]z2?|exe|ms[i|p]|cvd|cdiff|mar)$  43200   100%    129600  reload-into-ims

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern -i (/cgi-bin/|\?) 0     0%      0

refresh_pattern .               0       20%     4320

cache_mgr [hidden email]

mail_from [hidden email]

visible_hostname proxy2.internal.domain.tld

hostname_aliases proxy2.internal.domain.tld

 

httpd_suppress_version_string on

 

icap_enable on

icap_send_client_ip on

icap_send_client_username on

icap_client_username_header X-Authenticated-User

icap_persistent_connections on

icap_preview_enable on

icap_preview_size 1024

icap_service service_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off

adaptation_access service_req allow all

icap_service service_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=off

adaptation_access service_resp allow all

 

dns_v4_first on

maximum_object_size 4096 KB

minimum_object_size 0 KB

maximum_object_size_in_memory 64 KB

cache_mem 256 MB

quick_abort_min -1 KB

fqdncache_size 4096

cache_swap_low 90

cache_swap_high 95

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: question about : NOTICE: Authentication not applicable onintercepted requests. ( SOLVED )

Amos Jeffries
Administrator
On 16/02/2017 3:38 a.m., L.P.H. van Belle wrote:

> If this one arived in the list.
>
>  
>
> This is solved, the wpad.dat was guiding my to the other proxy while my gateway was set to me new proxy.
>
> This happend at the policy refresh and did not notice it.
>
> Sorry for the noice.
>
>  
>
> But if you see anything that incorrect, or can have a better setup, please let me know.
>
> I always like improvements.
>

"no_cache" is an alias of "cache". So you can remove the "no_cache" line
from your config entirely.

>  
>
> Thanks
>
>  
>
> Louis
>
>  
>
>  
>
>
> Van: L.P.H. van Belle [mailto:[hidden email]]
> Verzonden: woensdag 15 februari 2017 10:54
> Aan: '[hidden email]'
> Onderwerp: question about : NOTICE: Authentication not applicable on intercepted requests.
>
>
>  
>
> Hai,
>
>  
>
> In configuring my debian jessie with squid 3.5.24 ( with ssl enabled )  c-icap squidclamav and winbind 4.5.5 for kerberos keytab refresing.
>
>  
>
> Now, im at the point of reducing my logs and i nocited :
>
> NOTICE: Authentication not applicable on intercepted requests.
>
> Messages in squid/cache.log
>
>  
>
> I know this is some misconfiguration somewhere but im having a hardtime to finding/understanding it.
>
> Where and why, so is anyone can help me finding and understanding it, that would be very nice.
>
>  
>
> I cant see my error and everything else is working fine, execept i havent tested the kerberos group acl yet.
>
> So i didnt set that http_access yet.
>
>  
>
> Im having the following firewall rules
>
>  
>
> # Not authenticated web traffice, redirected to squid in intercept mode.
>
> -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.0.2:3128
>
> -A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination 192.168.0.2:3129
>
> Port 8080 is also open.
>
>  
>
> Web traffic for pc’s which are domain joint have set the proxy by GPO to hostname.domain.tld port 8080
>
> Web traffic for other devices dont need to authenticate.
>
> WPAD and DNS wpad is also set.
>
>  
>
> Below is mostly from the updated wiki pages.
>
> A big thank you to Amos Victor and others who changed the pages, looks good.
>
> I have some small changed for a pure debian based setup with samba4 as addc and winbind for the squid member server.
>
>  
>
>  
>
> This is my squid config.
>
> # Created from a running squid version : 3.5.24
>
> # Running os : Debian GNU/Linux 8 (jessie)
>
> # Creation date: 2017-02-15
>
>  
>
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/[hidden email] --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
>
> auth_param negotiate children 10 startup=5 idle=5
>
> auth_param negotiate keep_alive on
>
> external_acl_type memberof ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid3/ext_kerberos_ldap_group_acl -d -i -m 4 -g [hidden email] -N [hidden email] -S [hidden email] -D INTERNAL.DOMAIN.TLD
>
> acl authenticated proxy_auth REQUIRED
>
>  
>
> acl certificates rep_mime_type -i ^application/pkix-crl$
>
>  
>
> acl windows-updates dstdomain "/etc/squid/lists/updates-windows"
>
> acl antivirus-updates dstdomain "/etc/squid/lists/updates-antivirus"
>
> acl localnet src fc00::/7       # RFC 4193 local private network range
>
> acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
>
> acl localnet src 192.168.249.0/24    # Company-1
>
> acl localnet src 10.249.2.0/24       # Company-2
>
> acl localnet src 10.249.3.0/24       # Company-3
>
> acl localnet src 10.249.4.0/24       # Company-4
>
> acl localnet src 10.249.5.0/24       # Company-5
>

Small optimization here. You can configure the 10/8 lines as:

  acl localnet 10.29.2.0-10.249.5.0/24

That reduces 3 IP comparisions per request.


>  
>
> acl SSL_ports port 443          # https
>
> acl SSL_ports port 3952         # CIC client
>
> acl SSL_ports port 10443        # https Cisco 5506x
>
> acl Safe_ports port 80          # http
>
> acl Safe_ports port 21          # ftp
>
> acl Safe_ports port 443         # https
>
> acl Safe_ports port 70          # gopher
>
> acl Safe_ports port 210         # wais
>
> acl Safe_ports port 1025-65535  # unregistered ports
>
> acl Safe_ports port 280         # http-mgmt
>
> acl Safe_ports port 488         # gss-http
>
> acl Safe_ports port 591         # filemaker
>
> acl Safe_ports port 777         # multiling http
>
> acl Safe_ports port 3952        # CIC client
>
> acl Safe_ports port 10443       # https Cisco 5506x

Port numbers over 1024 are already included in the "unregistered ports"
entry. You can simplify by removing these last two lines of Safe_ports.

>
> acl CONNECT method CONNECT
>
>  
>
> ## Added : Advertising Server Block List merge from YoYo.org and Host-file.net
>
> acl block-asbl dstdomain "/etc/squid/lists/block-asbl-merged-dstdomain"
>
> http_access deny block-asbl
>
>  
>
> acl google_recaptcha urlpath_regex ^\/recaptcha\/api.js
>
> http_access allow google_recaptcha
>
>  
>
> acl NO-CACHE-SITES url_regex "/etc/squid/lists/no-cache-sites"
>
> no_cache deny NO-CACHE-SITES
>
> always_direct allow NO-CACHE-SITES
>
> cache deny NO-CACHE-SITES
>

always_direct is only relevant when you are using a cache_peer. Which
you are not. So that can be removed.

"no_cache" is an old alias for "cache". So you can remove the "no_cache"
line entirely as well.

>  
>
> #
>
> http_access deny !Safe_ports
>
> http_access deny CONNECT !SSL_ports
>
> http_access allow localhost manager
>
> http_access deny manager
>
> http_access deny to_localhost
>
>  
>
> ## allow before auth so all pc's get the needed updates
>
> http_access allow windows-updates
>
> http_access allow antivirus-updates
>
>  
>
> http_access allow authenticated
>
> http_access allow localnet
>
> http_access allow localhost
>
> http_access deny all
>
>  
>
> http_port 192.168.249.222:3128 intercept connection-auth=off
>
> https_port 192.168.249.222:3129 intercept connection-auth=off ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem
>
>  
>
> http_port 192.168.249.222:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem
>
> sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB
>
> acl step1 at_step SslBump1
>
> ssl_bump peek step1
>
> ssl_bump bump all
>
> sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
>
> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
>
> cache_mem 4096 MB
>
> coredump_dir /var/spool/squid
>
> ftp_user [hidden email]
>
>  
>
> #
>
> refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
>
> refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
>
> refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
>
> refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
>
> refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims
>

Squid can run through testing each refresh_pattern line against objects
at several different times where processing is performance-critical.

So you can gain some speed by;
 a) manually merging the regex patterns where all the other parameters
are identical, and
 b) sorting the refresh_pattern lines by most frequently used.


>  
>
> ## todo, make this list more complete, see icap excludes
>
> refresh_pattern -i \.symantecliveupdate\.com\/.*\.(zip|7z|irn|[m|x][0-9][0-9])          4320    100%    43200   reload-into-ims
>
> refresh_pattern -i .*dnl.*\.geo\.kaspersky\.(com|ru)\/.*\.(zip|avc|kdc|nhg|klz|d[at|if])        4320    100%    43200   reload-into-ims
>
> refresh_pattern -i \.kaspersky-labs\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p])        4320    100%    43200   reload-into-ims
>
> refresh_pattern -i \.kaspersky\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]|avc) 4320    100%    43200   reload-into-ims
>
> refresh_pattern -i .update\.geo\.drweb\.com     4320    100%    43200   reload-into-ims
>
> refresh_pattern -i \.avast.com\/.*\.(vp[u|aa])          4320    100%    43200   reload-into-ims
>
> refresh_pattern -i \.avg.com\/.*\.(bin)         4320    100%    43200   reload-into-ims
>
>  
>
> ## todo, add .deb files caching
>
> refresh_pattern ^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$   0       0%      0
>
> refresh_pattern ^(ht|f)tp://.*debian.*/Release(\.gpg)?$                 0       0%      0
>
> refresh_pattern ^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$    0       0%      0
>
> refresh_pattern ^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$         0       0%      0
>

Er. The min/max of 0 sets them to already expired _unless_
Cache-Controls exist and say otherwise. So if these lines do anything at
all it is prevent caching of those objects.

Squid-3.5 should be handling the .deb and related things properly
nowdays, so you can probably remove those lines.

>  
>
> ## The defaults as last.
>
> refresh_pattern -i \.(zip|[g|b]z2?|exe|ms[i|p]|cvd|cdiff|mar)$  43200   100%    129600  reload-into-ims
>
> refresh_pattern ^ftp:           1440    20%     10080
>
> refresh_pattern ^gopher:        1440    0%      1440
>
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
>
> refresh_pattern .               0       20%     4320
>
> cache_mgr [hidden email]
>
> mail_from [hidden email]
>
> visible_hostname proxy2.internal.domain.tld
>
> hostname_aliases proxy2.internal.domain.tld
>
>  
>
> httpd_suppress_version_string on
>
>  
>
> icap_enable on
>
> icap_send_client_ip on
>
> icap_send_client_username on
>
> icap_client_username_header X-Authenticated-User
>
> icap_persistent_connections on
>
> icap_preview_enable on
>
> icap_preview_size 1024
>
> icap_service service_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
>
> adaptation_access service_req allow all
>
> icap_service service_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=off
>
> adaptation_access service_resp allow all
>
>  
>
> dns_v4_first on
>
> maximum_object_size 4096 KB
>
> minimum_object_size 0 KB
>
> maximum_object_size_in_memory 64 KB
>
> cache_mem 256 MB
>
> quick_abort_min -1 KB
>
> fqdncache_size 4096
>
> cache_swap_low 90
>
> cache_swap_high 95

Things which are set to their default values can be removed from squid.conf.


Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users