> FYI: By placing that "all" ACL (or any other non-authentication ACL) at > the end of your access line you are currently making Squid *not* fetch > credentials from users. > > If the UA/Browser is so insecurely configured that it broadcasts user > credentials out to the network without being asked for them your above > config would _appear_ to work, but that insecurity is a different > problem on its own. > > Amos Oh ok I see, thanks, will change that of course > transaction_initiator internal > > Alex. Perfect, thats the acl i was looking for, I didn't know that it exists. So I changed my configuration and finally it fetchs now the intermediate certifications before an authentication is requried: #Allow fetch intermediate certs before required authentication acl fetched_certificate transaction_initiator certificate-fetching cache allow fetched_certificate cache deny all http_access allow fetched_certificate #Authentification is REQUIRED acl Authenticated_Users proxy_auth REQUIRED http_access deny !Authenticated_Users It also does cache them, as described here: http://lists.squid-cache.org/pipermail/squid-dev/2017-June/008800.html Example Log: 1541752564.411 0 172.16.5.15 TCP_DENIED/407 4638 CONNECT bugs.squid-cache.org:443 - HIER_NONE/- text/html 1541752564.702 2 - TCP_MEM_HIT/200 1174 GET http://cert.int-x3.letsencrypt.org/ - HIER_NONE/- application/pkix-cert 1541752564.834 421 172.16.5.15 NONE/200 0 CONNECT bugs.squid-cache.org:443 xxxx HIER_DIRECT/104.130.201.120 - 1541752567.031 2180 172.16.5.15 TCP_MISS/200 3875 GET https://bugs.squid-cache.org/index.cgi xxxx HIER_DIRECT/104.130.201.120 text/html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
