Hi, I was wondering if it is possible to filter HTTPS URLs using squid (for example to blacklist reddit.com but allow https://www.reddit.com/r/news/)?
I thought this may be possible using ssl_bump and url_regex. I have been trying this using squid 3.5.13 but with no success. Here is the squid configuration that I have tried but doesn't seem to work (it works for http sites though): acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager acl whitelist-regex url_regex -i reddit.com/r/news http_port 3129 ssl-bump cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB acl bump_sites ssl::server_name .reddit.com ssl_bump bump bump_sites ssl_bump splice !bump_sites http_access allow whitelist-regex http_access allow localhost http_access deny all coredump_dir /opt/squid-3.5.13/var/spool/squid3 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 pinger_enable off Relevant access.log output (IP addresses redacted to x.x.x.x): 1455145755.589 0 x.x.x.x TCP_DENIED/200 0 CONNECT www.reddit.com:443 - HIER_NONE/- - 1455145755.669 0 x.x.x.x TAG_NONE/403 4011 GET https://www.reddit.com/r/news - HIER_NONE/- text/html 1455145755.782 0 x.x.x.x TCP_DENIED/200 0 CONNECT www.reddit.com:443 - HIER_NONE/- - I don't want to whitelist the dstdomain .reddit.com (i.e whitelist-ssldomain dstdomain .reddit.com) as that would allow access to all of the other subreddits. Appreciate any help or suggestions you have. Thanks. Victor
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users