On 8/11/18 9:32 PM, info@xxxxxxxxxxxx wrote: > Hello and thanks for your explanation. > What kind of ACL would then match "all squid internal requests" to allow without authentification? > >> For most modern Squids, this http_access policy is, IMO, incorrect >> because it blocks internally-generated requests, such as requests for >> missing intermediate certificates. Please adjust your configuration to >> allow those requests (if you want them to be allowed). > > I found another Site missing the Intermediate in their cabundle, the same issue: > > 1541663927.195 0 - TCP_DENIED/407 3752 GET > http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt - HIER_NONE/- > text/html;charset=utf-8 > 1541663927.195 52 172.16.5.15 NONE/200 0 CONNECT gtacknowledge.extremenetworks.com:443 xxxx > HIER_DIRECT/136.146.11.219 - > 1541663927.210 0 172.16.5.15 NONE/503 5471 GET > https://gtacknowledge.extremenetworks.com/favicon.ico xxxx HIER_NONE/- text/html > > Just comment out the following line does resolve the problem > > acl Authenticated_Users proxy_auth REQUIRED > #http_access deny !Authenticated_Users all > > but I still need the requirement that users have to auth themselv FYI: By placing that "all" ACL (or any other non-authentication ACL) at the end of your access line you are currently making Squid *not* fetch credentials from users. If the UA/Browser is so insecurely configured that it broadcasts user credentials out to the network without being asked for them your above config would _appear_ to work, but that insecurity is a different problem on its own. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
