Hello and thanks for your explanation. What kind of ACL would then match "all squid internal requests" to allow without authentification? > For most modern Squids, this http_access policy is, IMO, incorrect > because it blocks internally-generated requests, such as requests for > missing intermediate certificates. Please adjust your configuration to > allow those requests (if you want them to be allowed). I found another Site missing the Intermediate in their cabundle, the same issue: 1541663927.195 0 - TCP_DENIED/407 3752 GET http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt - HIER_NONE/- text/html;charset=utf-8 1541663927.195 52 172.16.5.15 NONE/200 0 CONNECT gtacknowledge.extremenetworks.com:443 xxxx HIER_DIRECT/136.146.11.219 - 1541663927.210 0 172.16.5.15 NONE/503 5471 GET https://gtacknowledge.extremenetworks.com/favicon.ico xxxx HIER_NONE/- text/html Just comment out the following line does resolve the problem acl Authenticated_Users proxy_auth REQUIRED #http_access deny !Authenticated_Users all but I still need the requirement that users have to auth themselv (but exclude squid-internal requests). So, what kind of ACL does catch squid internal requests to !whitelist_squid_internal_requests then? for example: acl Authenticated_Users proxy_auth REQUIRED acl whitelist_squid_internal_requests ???? http_access deny !Authenticated_Users !whitelist_squid_internal_requests all _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
