Re: [squid-users] Acl.cc(26) AuthenticateAcl: authentication not applicable on intercepted requests.

From: <jay_at_integralvox.com>
Date: Sat, 17 May 2014 14:53:26 +0000


Hi,

Proxy_auth is only possible on explicit proxy setup and not on interception setup.

The squid wiki explains why.


Jay


Sent from my BlackBerry® wireless handheld

-----Original Message-----
From: "anly.zhang" <xltxbster_at_gmail.com>
Date: Sat, 17 May 2014 06:39:02
To: <squid-users_at_squid-cache.org>
Subject: [squid-users] Acl.cc(26) AuthenticateAcl: authentication not applicable on
 intercepted requests.
*Hi,I'm use centos 6.5 x86_64, squid:3.1.10 AD WINDOWS SERVER 2008*
squid config:
#
# Recommended minimum configuration:
#
#bout LDAP Authenticator
#auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -D
squid_at_zkbr.cc -W /etc/squid/adpw.txt -b "dc=zkbr,dc=cc" -f
"sAMAccountName=%s" dc.zkbr.cc
auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b
"dc=zkbr,dc=cc" -D "squid_at_zkbr.cc" -w "pass_at_word1" -f sAMAccountName=%s -h
172.18.1.100
auth_param basic children 5
auth_param basic realm Your Organisation Name
auth_param basic credentialsttl 5 minutes
# FOR LDAP GROUP AUTH
external_acl_type ldap_users %LOGIN /usr/lib64/squid/squid_ldap_group -R -b
"dc=zkbr,dc=cc" -f "(&(cn=%v)(memberOf=cn=%a,cn=users,dc=zkbr,dc=cc ))" -D
squid_at_zkbr.cc -W /etc/squid/adpw.txt dc.zkbr.cc

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
#acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
#acl localnet src 172.18.1.0/24 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#acl localnet src fc00::/7 # RFC 4193 local private network range
#acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localnet proxy_auth REQUIRED src 172.18.1.0/24
acl ad_net external ldap_users net


#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow ad_net
http_access allow manager localhost
http_access deny manager
http_access deny all

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
visible_hostname iptables
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 transparent

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


*Then I'm create a group "net",username "a" in the group.
As the squid.conf,:
acl localnet proxy_auth REQUIRED src 172.18.1.0/24
acl ad_net external ldap_users net
http_access allow ad_net.
But it didn't take effect.
I use user "a" logon in the domain client PC.
But it doesn't auth for squid.
*
squid.out
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4665989/squid.out>
cache.log
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4665989/cache.log>
access.log
<http://squid-web-proxy-cache.1019090.n4.nabble.com/file/n4665989/access.log>


The cache.log:
2014/05/16 22:52:02| Closing unlinkd pipe on FD 33
2014/05/16 22:52:02| storeDirWriteCleanLogs: Starting...
2014/05/16 22:52:02| Finished. Wrote 0 entries.
2014/05/16 22:52:02| Took 0.00 seconds ( 0.00 entries/sec).
CPU Usage: 0.053 seconds = 0.020 user + 0.033 sys
Maximum Resident Size: 42624 KB
Page faults with physical i/o: 0
Memory usage for squid via mallinfo():
        total space in arena: 3672 KB
        Ordinary blocks: 3571 KB 5 blks
        Small blocks: 0 KB 0 blks
        Holding blocks: 1096 KB 4 blks
        Free Small blocks: 0 KB
        Free Ordinary blocks: 100 KB
        Total in use: 4667 KB 127%
        Total free: 100 KB 3%
2014/05/16 22:52:02| Open FD UNSTARTED 7 DNS Socket IPv6
2014/05/16 22:52:02| Open FD UNSTARTED 8 DNS Socket IPv4
2014/05/16 22:52:02| Open FD UNSTARTED 9 squid_ldap_auth #1
2014/05/16 22:52:02| Open FD UNSTARTED 11 squid_ldap_auth #2
2014/05/16 22:52:02| Open FD UNSTARTED 13 squid_ldap_auth #3
2014/05/16 22:52:02| Open FD UNSTARTED 15 squid_ldap_auth #4
2014/05/16 22:52:02| Open FD UNSTARTED 17 squid_ldap_auth #5
2014/05/16 22:52:02| Open FD UNSTARTED 20 squid_ldap_group #1
2014/05/16 22:52:02| Open FD UNSTARTED 22 squid_ldap_group #2
2014/05/16 22:52:02| Open FD UNSTARTED 24 squid_ldap_group #3
2014/05/16 22:52:02| Open FD UNSTARTED 26 squid_ldap_group #4
2014/05/16 22:52:02| Open FD UNSTARTED 28 squid_ldap_group #5
2014/05/16 22:52:02| Squid Cache (Version 3.1.10): Exiting normally.
2014/05/16 22:52:03| Starting Squid Cache version 3.1.10 for
x86_64-redhat-linux-gnu...
2014/05/16 22:52:03| Process ID 19882
2014/05/16 22:52:03| With 1024 file descriptors available
2014/05/16 22:52:03| Initializing IP Cache...
2014/05/16 22:52:03| DNS Socket created at [::], FD 7
2014/05/16 22:52:03| DNS Socket created at 0.0.0.0, FD 8
2014/05/16 22:52:03| Adding nameserver 172.18.1.100 from /etc/resolv.conf
2014/05/16 22:52:03| helperOpenServers: Starting 5/5 'squid_ldap_auth'
processes
2014/05/16 22:52:03| helperOpenServers: Starting 5/5 'squid_ldap_group'
processes
2014/05/16 22:52:03| User-Agent logging is disabled.
2014/05/16 22:52:03| Referer logging is disabled.
2014/05/16 22:52:03| Unlinkd pipe opened on FD 33
2014/05/16 22:52:03| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2014/05/16 22:52:03| Store logging disabled
2014/05/16 22:52:03| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2014/05/16 22:52:03| Target number of buckets: 1008
2014/05/16 22:52:03| Using 8192 Store buckets
2014/05/16 22:52:03| Max Mem size: 262144 KB
2014/05/16 22:52:03| Max Swap size: 0 KB
2014/05/16 22:52:03| Using Least Load store dir selection
2014/05/16 22:52:03| Set Current Directory to /var/spool/squid
2014/05/16 22:52:03| Loaded Icons.
2014/05/16 22:52:03| Accepting intercepted HTTP connections at
0.0.0.0:3128, FD 34.
2014/05/16 22:52:03| HTCP Disabled.
2014/05/16 22:52:03| Squid plugin modules loaded: 0
2014/05/16 22:52:03| Adaptation support is off.
2014/05/16 22:52:03| Ready to serve requests.
2014/05/16 22:52:04| storeLateRelease: released 0 objects
2014/05/16 22:52:11| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:11| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:13| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:13| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:14| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:15| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:19| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:19| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:21| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:21| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:22| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:22| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:23| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:23| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:24| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:24| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:25| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:25| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:25| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 22:52:25| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.
2014/05/16 23:03:17| Acl.cc(26) AuthenticateAcl: authentication not
applicable on intercepted requests.

*Thank you for help!*



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Acl-cc-26-AuthenticateAcl-authentication-not-applicable-on-intercepted-requests-tp4665989.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Sat May 17 2014 - 14:53:39 MDT

This archive was generated by hypermail 2.2.0 : Sun May 18 2014 - 12:00:06 MDT