On Tue, 16 Feb 2010 07:42:09 -0800 (PST), Carlos Lopez <the_spide21@xxxxxxxxx> wrote: > Hi all, > > I'am new to squid and I was wondering if it is possible to tunnel https > request from authenticated users and then via script block/allow access to > https address, but depending of what's the result of the script, let's say: > > user1 and user2 > > user1, have access to check yahoo mail only and do internet bank > accounting for only one specific site, so he/she may need https port to be > open (https and http are blocked on the firewall), but at the same time do > some filtering, to restrict him/her to navigate for example Adult sites. > > user2, got access only to navigate through port http and also do some > filters via script (for example, block access to webchat links) > Yes. HTTPS traffic has access to the destination domain name and port by themselves. If some combo of the existing ACL types does not match what you want cleanly, look at external_acl_type to call some more complicated helper script. http://www.squid-cache.org/Doc/config/external_acl_type/ It's controlled using http_access same as any other request. Just include "CONNECT" at the start of all the HTTPS-specific rules. Like so: http_access <allow or deny> CONNECT ... For example, the default security rule: http_access deny CONNECT !SSL_ports ... blocks all non-SSL ports from being accessed via the tunnel. (I'd advise placing your HTTPS rules below that one.) Amos
