I've faced this problem with Squid 3.1.16, especially on youtube when starting the video or scrolling through it, note that it's asking you to authenticate not all the time, but sometimes, when it shouldn't: Mozilla Firefox shows window to enter credentials moz-proxy:3128. When entering VALID credentials, it's refusing and asking again and again. By pressing "cancel" everything works and video loads normally. I've tried to find the reason with sniffer - maybe browser was accessing restricted URL, but i couldn't get the point. Maybe this is FF bug, maybe configuration problem, squid behavior and other browsers are using some other methods... sample config: acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl squid_ports port 3128 8080 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl CONNECT method CONNECT acl internal_icons urlpath_regex −i /squid-internal-static/icons/ http_access allow localnet to_localhost squid_ports internal_icons http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost http_port 3128 http_port 8080 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ftp_user anonymous ftp_telnet_protocol off ftp_epsv off acl FTP_ports port 21 acl FTPproto proto FTP always_direct allow FTPproto acl allowedftpmethod method GET http_access deny FTPproto !allowedftpmethod http_access deny FTPproto !FTP_ports auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5- ntlmssp --domain=TEST auth_param ntlm children 10 auth_param ntlm keep_alive off auth_param negotiate program /usr/bin/negotiate_wrapper --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=TEST --kerberos /usr/lib64/squid/squid_kerb_auth -s GSS_C_NO_NAME auth_param negotiate children 10 auth_param negotiate keep_alive off external_acl_type memberof %LOGIN /usr/lib64/squid/squid_ldap_group -R -K -b "dc=TEST,dc=ge" -D squid@xxxxxxx -W /etc/squid/ldappass.txt -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,OU=Techgroups,OU=testgroups,DC=TEST,DC=ge))" -h dc.test.ge acl auth proxy_auth REQUIRED acl FullAccess external memberof "/etc/squid/full_access.txt" acl testtest src 192.168.0.1 http_access deny !auth http_access allow testtest FullAccess http_access deny all cache_mem 1024 MB minimum_object_size 0 KB maximum_object_size 8192 KB maximum_object_size_in_memory 8192 KB Best regards, George Machitidze
