Firstly, thanks a lot for taking the time to check my configuration and provide such detailed suggestions; I think I've followed all of them and fixed the problems you pointed out. We have a Windows domain and all those "all" directives where inherited from our old proxy server (running Squid verson 3.1.20) and were used to let domain users not receive any popups asking for credentials, while at the same time presenting those credentials requests to non-domain users; if I'm understanding your comments correctly I can safely remove them and get the same result, am I right? We were having an issue with authentication too, where domain users sometimes received a popup asking for credentials (shouldn't happen since I have only enabled kerberos auth) and would need to click "Cancel" and reload the page to resume browsing correctly; could the presence of all those "all" directives have caused that too in your opinion? The new configuration should result in this if I didn't miss/misunderstand anything (I've addedd a whitelist rule that I missed earlier): ### TESTSQUID1 ### http_port 3128 dns_v4_first on pinger_enable off netdb_filename none error_default_language it cache_mgr helpdesk@xxxxxxx acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth -r -d auth_param negotiate children 150 auth_param negotiate children 150 startup=20 idle=10 auth_param negotiate keep_alive on external_acl_type ProxyUser children-max=75 %LOGIN /usr/lib/squid/ext_kerberos_ldap_group_acl -g INTERNET@TEST.LOCAL -D TEST.LOCAL -S testldap acl ProxyUser external ProxyUser http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny manager acl destsquid dstdomain .testsquid1 .testsquid2 http_access allow destsquid acl siti_whitelist dstdomain "/etc/squid/siti_whitelist" acl AUTH proxy_auth REQUIRED http_access deny !AUTH http_access allow siti_whitelist http_access allow ProxyUser http_access deny all icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service service_req reqmod_precache bypass=1 icap://testicap:1344/REQ-Service adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=0 icap://testicap:1344/resp adaptation_access service_resp allow all coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 Getting back to the main problem, i've set "icap_enable off" and reloaded Squid, then tried again and got the same problem; since we're not using any cache parent and Squid isn't using ICAP at the moment, can I assume there's nothing else I can do and just have to ignore the problem? The thing that bugs me is that only Chrome seems to be having this particular problem... could this even be something linked to a bug or a simple behaviour difference between Chrome and IE/Firefox? Thanks again for all your patience :) -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users