OK, further digging: if I try to connect to the standard http version of the site (http://www.domain.com) I get: TCP_MISS/503 4195 GET http://www.domain.com/ - FIRST_UP_PARENT/CPP text/html And the squid 'security credentials mismatch' page in my browser. However if I try to connect to the https version, I get TCP_MISS/200 4689 CONNECT www.domain.com:443 - DIRECT/xxx.xxx.xxx.xx - So it now looks like the dstdomain directive isn't being triggered on https requests. -- steph