On 16/02/2017 3:38 a.m., L.P.H. van Belle wrote: > If this one arived in the list. > > > > This is solved, the wpad.dat was guiding my to the other proxy while my gateway was set to me new proxy. > > This happend at the policy refresh and did not notice it. > > Sorry for the noice. > > > > But if you see anything that incorrect, or can have a better setup, please let me know. > > I always like improvements. > "no_cache" is an alias of "cache". So you can remove the "no_cache" line from your config entirely. > > > Thanks > > > > Louis > > > > > > > Van: L.P.H. van Belle [mailto:belle@xxxxxxxxx] > Verzonden: woensdag 15 februari 2017 10:54 > Aan: 'squid-users@xxxxxxxxxxxxxxx' > Onderwerp: question about : NOTICE: Authentication not applicable on intercepted requests. > > > > > Hai, > > > > In configuring my debian jessie with squid 3.5.24 ( with ssl enabled ) c-icap squidclamav and winbind 4.5.5 for kerberos keytab refresing. > > > > Now, im at the point of reducing my logs and i nocited : > > NOTICE: Authentication not applicable on intercepted requests. > > Messages in squid/cache.log > > > > I know this is some misconfiguration somewhere but im having a hardtime to finding/understanding it. > > Where and why, so is anyone can help me finding and understanding it, that would be very nice. > > > > I cant see my error and everything else is working fine, execept i havent tested the kerberos group acl yet. > > So i didnt set that http_access yet. > > > > Im having the following firewall rules > > > > # Not authenticated web traffice, redirected to squid in intercept mode. > > -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.0.2:3128 > > -A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to-destination 192.168.0.2:3129 > > Port 8080 is also open. > > > > Web traffic for pc’s which are domain joint have set the proxy by GPO to hostname.domain.tld port 8080 > > Web traffic for other devices dont need to authenticate. > > WPAD and DNS wpad is also set. > > > > Below is mostly from the updated wiki pages. > > A big thank you to Amos Victor and others who changed the pages, looks good. > > I have some small changed for a pure debian based setup with samba4 as addc and winbind for the squid member server. > > > > > > This is my squid config. > > # Created from a running squid version : 3.5.24 > > # Running os : Debian GNU/Linux 8 (jessie) > > # Creation date: 2017-02-15 > > > > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy2.internal.domain.tld@xxxxxxxxxxxxxxxxxxx --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM > > auth_param negotiate children 10 startup=5 idle=5 > > auth_param negotiate keep_alive on > > external_acl_type memberof ttl=3600 negative_ttl=3600 %LOGIN /usr/lib/squid3/ext_kerberos_ldap_group_acl -d -i -m 4 -g internet-allowed@xxxxxxxxxxxxxxxxxxx -N NTDOM@xxxxxxxxxxxxxxxxxxx -S dc1.internal.domain.tld@xxxxxxxxxxxxxxxxxxx -D INTERNAL.DOMAIN.TLD > > acl authenticated proxy_auth REQUIRED > > > > acl certificates rep_mime_type -i ^application/pkix-crl$ > > > > acl windows-updates dstdomain "/etc/squid/lists/updates-windows" > > acl antivirus-updates dstdomain "/etc/squid/lists/updates-antivirus" > > acl localnet src fc00::/7 # RFC 4193 local private network range > > acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines > > acl localnet src 192.168.249.0/24 # Company-1 > > acl localnet src 10.249.2.0/24 # Company-2 > > acl localnet src 10.249.3.0/24 # Company-3 > > acl localnet src 10.249.4.0/24 # Company-4 > > acl localnet src 10.249.5.0/24 # Company-5 > Small optimization here. You can configure the 10/8 lines as: acl localnet 10.29.2.0-10.249.5.0/24 That reduces 3 IP comparisions per request. > > > acl SSL_ports port 443 # https > > acl SSL_ports port 3952 # CIC client > > acl SSL_ports port 10443 # https Cisco 5506x > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > acl Safe_ports port 3952 # CIC client > > acl Safe_ports port 10443 # https Cisco 5506x Port numbers over 1024 are already included in the "unregistered ports" entry. You can simplify by removing these last two lines of Safe_ports. > > acl CONNECT method CONNECT > > > > ## Added : Advertising Server Block List merge from YoYo.org and Host-file.net > > acl block-asbl dstdomain "/etc/squid/lists/block-asbl-merged-dstdomain" > > http_access deny block-asbl > > > > acl google_recaptcha urlpath_regex ^\/recaptcha\/api.js > > http_access allow google_recaptcha > > > > acl NO-CACHE-SITES url_regex "/etc/squid/lists/no-cache-sites" > > no_cache deny NO-CACHE-SITES > > always_direct allow NO-CACHE-SITES > > cache deny NO-CACHE-SITES > always_direct is only relevant when you are using a cache_peer. Which you are not. So that can be removed. "no_cache" is an old alias for "cache". So you can remove the "no_cache" line entirely as well. > > > # > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_access allow localhost manager > > http_access deny manager > > http_access deny to_localhost > > > > ## allow before auth so all pc's get the needed updates > > http_access allow windows-updates > > http_access allow antivirus-updates > > > > http_access allow authenticated > > http_access allow localnet > > http_access allow localhost > > http_access deny all > > > > http_port 192.168.249.222:3128 intercept connection-auth=off > > https_port 192.168.249.222:3129 intercept connection-auth=off ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem > > > > http_port 192.168.249.222:8080 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/ssl/local/CAcert.pem options=NO_SSLv3 key=/etc/ssl/local/CAkey.pem > > sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 8MB > > acl step1 at_step SslBump1 > > ssl_bump peek step1 > > ssl_bump bump all > > sslproxy_options NO_SSLv2,NO_SSLv3,SINGLE_DH_USE > > sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS > > cache_mem 4096 MB > > coredump_dir /var/spool/squid > > ftp_user anonymousftp@xxxxxxxxxx > > > > # > > refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims > > refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims > > refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims > > refresh_pattern -i microsoft.com.akadns.net/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims > > refresh_pattern -i deploy.akamaitechnologies.com/.*\.(cab|exe|ms[i|u|f|p]|[ap]sf|wm[v|a]|dat|zip|psf) 43200 80% 129600 reload-into-ims > Squid can run through testing each refresh_pattern line against objects at several different times where processing is performance-critical. So you can gain some speed by; a) manually merging the regex patterns where all the other parameters are identical, and b) sorting the refresh_pattern lines by most frequently used. > > > ## todo, make this list more complete, see icap excludes > > refresh_pattern -i \.symantecliveupdate\.com\/.*\.(zip|7z|irn|[m|x][0-9][0-9]) 4320 100% 43200 reload-into-ims > > refresh_pattern -i .*dnl.*\.geo\.kaspersky\.(com|ru)\/.*\.(zip|avc|kdc|nhg|klz|d[at|if]) 4320 100% 43200 reload-into-ims > > refresh_pattern -i \.kaspersky-labs\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]) 4320 100% 43200 reload-into-ims > > refresh_pattern -i \.kaspersky\.(com|ru)\/.*\.(cab|zip|exe|ms[i|p]|avc) 4320 100% 43200 reload-into-ims > > refresh_pattern -i .update\.geo\.drweb\.com 4320 100% 43200 reload-into-ims > > refresh_pattern -i \.avast.com\/.*\.(vp[u|aa]) 4320 100% 43200 reload-into-ims > > refresh_pattern -i \.avg.com\/.*\.(bin) 4320 100% 43200 reload-into-ims > > > > ## todo, add .deb files caching > > refresh_pattern ^(ht|f)tp://.*debian.*/Packages\.(bz2|gz|diff/Index)$ 0 0% 0 > > refresh_pattern ^(ht|f)tp://.*debian.*/Release(\.gpg)?$ 0 0% 0 > > refresh_pattern ^(ht|f)tp://.*debian.*/Sources\.(bz2|gz|diff/Index)$ 0 0% 0 > > refresh_pattern ^(ht|f)tp://.*debian.*/Translation-en_GB\.bz2)$ 0 0% 0 > Er. The min/max of 0 sets them to already expired _unless_ Cache-Controls exist and say otherwise. So if these lines do anything at all it is prevent caching of those objects. Squid-3.5 should be handling the .deb and related things properly nowdays, so you can probably remove those lines. > > > ## The defaults as last. > > refresh_pattern -i \.(zip|[g|b]z2?|exe|ms[i|p]|cvd|cdiff|mar)$ 43200 100% 129600 reload-into-ims > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > > refresh_pattern . 0 20% 4320 > > cache_mgr changed2protectme@xxxxxxxxxxxxxx > > mail_from proxy2@xxxxxxxxxxxxxxxxxxx > > visible_hostname proxy2.internal.domain.tld > > hostname_aliases proxy2.internal.domain.tld > > > > httpd_suppress_version_string on > > > > icap_enable on > > icap_send_client_ip on > > icap_send_client_username on > > icap_client_username_header X-Authenticated-User > > icap_persistent_connections on > > icap_preview_enable on > > icap_preview_size 1024 > > icap_service service_req reqmod_precache icap://127.0.0.1:1344/squidclamav bypass=off > > adaptation_access service_req allow all > > icap_service service_resp respmod_precache icap://127.0.0.1:1344/squidclamav bypass=off > > adaptation_access service_resp allow all > > > > dns_v4_first on > > maximum_object_size 4096 KB > > minimum_object_size 0 KB > > maximum_object_size_in_memory 64 KB > > cache_mem 256 MB > > quick_abort_min -1 KB > > fqdncache_size 4096 > > cache_swap_low 90 > > cache_swap_high 95 Things which are set to their default values can be removed from squid.conf. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
