Hi, Proxy_auth is only possible on explicit proxy setup and not on interception setup. The squid wiki explains why. Jay Sent from my BlackBerry® wireless handheld -----Original Message----- From: "anly.zhang" <xltxbster@xxxxxxxxx> Date: Sat, 17 May 2014 06:39:02 To: <squid-users@xxxxxxxxxxxxxxx> Subject: Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. *Hi,I'm use centos 6.5 x86_64, squid:3.1.10 AD WINDOWS SERVER 2008* squid config: # # Recommended minimum configuration: # #bout LDAP Authenticator #auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -D squid@xxxxxxx -W /etc/squid/adpw.txt -b "dc=zkbr,dc=cc" -f "sAMAccountName=%s" dc.zkbr.cc auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "dc=zkbr,dc=cc" -D "squid@xxxxxxx" -w "pass@word1" -f sAMAccountName=%s -h 172.18.1.100 auth_param basic children 5 auth_param basic realm Your Organisation Name auth_param basic credentialsttl 5 minutes # FOR LDAP GROUP AUTH external_acl_type ldap_users %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "dc=zkbr,dc=cc" -f "(&(cn=%v)(memberOf=cn=%a,cn=users,dc=zkbr,dc=cc ))" -D squid@xxxxxxx -W /etc/squid/adpw.txt dc.zkbr.cc acl manager proto cache_object acl localhost src 127.0.0.1/32 ::1 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1 # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed #acl localnet src 10.0.0.0/8 # RFC1918 possible internal network #acl localnet src 172.18.1.0/24 # RFC1918 possible internal network #acl localnet src 192.168.0.0/16 # RFC1918 possible internal network #acl localnet src fc00::/7 # RFC 4193 local private network range #acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT acl localnet proxy_auth REQUIRED src 172.18.1.0/24 acl ad_net external ldap_users net # # Recommended minimum Access Permission configuration: # # Only allow cachemgr access from localhost http_access allow ad_net http_access allow manager localhost http_access deny manager http_access deny all # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost visible_hostname iptables # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 transparent # We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # Uncomment and adjust the following to add a disk cache directory. #cache_dir ufs /var/spool/squid 100 16 256 # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 *Then I'm create a group "net",username "a" in the group. As the squid.conf,: acl localnet proxy_auth REQUIRED src 172.18.1.0/24 acl ad_net external ldap_users net http_access allow ad_net. But it didn't take effect. I use user "a" logon in the domain client PC. But it doesn't auth for squid. * squid.out <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4665989/squid.out> cache.log <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4665989/cache.log> access.log <http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4665989/access.log> The cache.log: 2014/05/16 22:52:02| Closing unlinkd pipe on FD 33 2014/05/16 22:52:02| storeDirWriteCleanLogs: Starting... 2014/05/16 22:52:02| Finished. Wrote 0 entries. 2014/05/16 22:52:02| Took 0.00 seconds ( 0.00 entries/sec). CPU Usage: 0.053 seconds = 0.020 user + 0.033 sys Maximum Resident Size: 42624 KB Page faults with physical i/o: 0 Memory usage for squid via mallinfo(): total space in arena: 3672 KB Ordinary blocks: 3571 KB 5 blks Small blocks: 0 KB 0 blks Holding blocks: 1096 KB 4 blks Free Small blocks: 0 KB Free Ordinary blocks: 100 KB Total in use: 4667 KB 127% Total free: 100 KB 3% 2014/05/16 22:52:02| Open FD UNSTARTED 7 DNS Socket IPv6 2014/05/16 22:52:02| Open FD UNSTARTED 8 DNS Socket IPv4 2014/05/16 22:52:02| Open FD UNSTARTED 9 squid_ldap_auth #1 2014/05/16 22:52:02| Open FD UNSTARTED 11 squid_ldap_auth #2 2014/05/16 22:52:02| Open FD UNSTARTED 13 squid_ldap_auth #3 2014/05/16 22:52:02| Open FD UNSTARTED 15 squid_ldap_auth #4 2014/05/16 22:52:02| Open FD UNSTARTED 17 squid_ldap_auth #5 2014/05/16 22:52:02| Open FD UNSTARTED 20 squid_ldap_group #1 2014/05/16 22:52:02| Open FD UNSTARTED 22 squid_ldap_group #2 2014/05/16 22:52:02| Open FD UNSTARTED 24 squid_ldap_group #3 2014/05/16 22:52:02| Open FD UNSTARTED 26 squid_ldap_group #4 2014/05/16 22:52:02| Open FD UNSTARTED 28 squid_ldap_group #5 2014/05/16 22:52:02| Squid Cache (Version 3.1.10): Exiting normally. 2014/05/16 22:52:03| Starting Squid Cache version 3.1.10 for x86_64-redhat-linux-gnu... 2014/05/16 22:52:03| Process ID 19882 2014/05/16 22:52:03| With 1024 file descriptors available 2014/05/16 22:52:03| Initializing IP Cache... 2014/05/16 22:52:03| DNS Socket created at [::], FD 7 2014/05/16 22:52:03| DNS Socket created at 0.0.0.0, FD 8 2014/05/16 22:52:03| Adding nameserver 172.18.1.100 from /etc/resolv.conf 2014/05/16 22:52:03| helperOpenServers: Starting 5/5 'squid_ldap_auth' processes 2014/05/16 22:52:03| helperOpenServers: Starting 5/5 'squid_ldap_group' processes 2014/05/16 22:52:03| User-Agent logging is disabled. 2014/05/16 22:52:03| Referer logging is disabled. 2014/05/16 22:52:03| Unlinkd pipe opened on FD 33 2014/05/16 22:52:03| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec 2014/05/16 22:52:03| Store logging disabled 2014/05/16 22:52:03| Swap maxSize 0 + 262144 KB, estimated 20164 objects 2014/05/16 22:52:03| Target number of buckets: 1008 2014/05/16 22:52:03| Using 8192 Store buckets 2014/05/16 22:52:03| Max Mem size: 262144 KB 2014/05/16 22:52:03| Max Swap size: 0 KB 2014/05/16 22:52:03| Using Least Load store dir selection 2014/05/16 22:52:03| Set Current Directory to /var/spool/squid 2014/05/16 22:52:03| Loaded Icons. 2014/05/16 22:52:03| Accepting intercepted HTTP connections at 0.0.0.0:3128, FD 34. 2014/05/16 22:52:03| HTCP Disabled. 2014/05/16 22:52:03| Squid plugin modules loaded: 0 2014/05/16 22:52:03| Adaptation support is off. 2014/05/16 22:52:03| Ready to serve requests. 2014/05/16 22:52:04| storeLateRelease: released 0 objects 2014/05/16 22:52:11| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:11| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:13| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:13| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:14| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:15| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:19| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:19| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:21| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:21| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:22| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:22| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:23| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:23| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:24| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:24| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:25| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:25| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:25| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 22:52:25| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. 2014/05/16 23:03:17| Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests. *Thank you for help!* -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Acl-cc-26-AuthenticateAcl-authentication-not-applicable-on-intercepted-requests-tp4665989.html Sent from the Squid - Users mailing list archive at Nabble.com.
