so ive tried to simplify this to see if i can work out whats going on squid 2.6.17 on gentoo linux /etc/squid/ip_user.conf 127.0.0.1 ALL /etc/squid/squid.conf hepworth andrew # grep ^[a-z] /etc/squid/squid.conf auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 1 hours auth_param basic casesensitive off external_acl_type ip_user_helper %SRC %LOGIN /usr/libexec/squid/ip_user_check -f /etc/squid/ip_user.conf acl all src 0.0.0.0/0.0.0.0 acl hepworth external ip_user_helper http_access allow hepworth http_access deny all icp_access allow all http_port 3128 hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid debug_options ALL,1 33,2 28,9 acl QUERY urlpath_regex cgi-bin \? cache deny QUERY refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl apache rep_header Server ^Apache broken_vary_encoding allow apache visible_hostname AnnesHouse forwarded_for off coredump_dir /var/cache/squid hepworth andrew # and i use a browser to get http://www.bbc.co.uk which -> cache access denied and this in cache.log 2008/03/19 21:37:16| aclCheckFast: list: 0x82a76f0 2008/03/19 21:37:16| aclMatchAclList: checking all 2008/03/19 21:37:16| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2008/03/19 21:37:16| aclMatchIp: '127.0.0.1' found 2008/03/19 21:37:16| aclMatchAclList: returning 1 2008/03/19 21:37:16| aclCheck: checking 'http_access allow hepworth' 2008/03/19 21:37:16| aclMatchAclList: checking hepworth 2008/03/19 21:37:16| aclMatchAcl: checking 'acl hepworth external ip_user_helper' 2008/03/19 21:37:16| aclMatchAcl: returning 0 sending authentication challenge. 2008/03/19 21:37:16| aclMatchAclList: no match, returning 0 2008/03/19 21:37:16| aclCheck: requiring Proxy Auth header. 2008/03/19 21:37:16| aclCheck: match found, returning 2 2008/03/19 21:37:16| aclCheckCallback: answer=2 2008/03/19 21:37:16| The request GET http://www.bbc.co.uk/ is DENIED, because it matched 'hepworth' 2008/03/19 21:37:16| The reply for GET http://www.bbc.co.uk/ is ALLOWED, because it matched 'hepworth' it would appear to be authenticating the user ( ie ALL from 127.0.0.1) so where is it denying the request ?