On 8/05/2014 8:38 p.m., Rafael Akchurin wrote: > Hi jay, > > If I am not mistaken dstdom_regex is matched against the *contents* of HTTP/HTTPS request - it means if first needs to be bumped. So it will never work in your case... > You need to know not ssl bump traffic before looking into its contents - the only acl that domes to mind is "dst" - i.e. ip address of the remote server. So something like ssl_bump deny your_skype_ip_acl. > > But I may be mistaken, hopefully some one on the list will correct me if so. That is correct on both points regarding to intercepted port 443 traffic. The browser type ACL only works (sometimes) on the CONNECT requests when Skype is explicitly configured to use the proxy. In those same requests it can be used to prevent bumping. There is possibly a third option if Skype can be explicitly configured to use the proxy through a special port number. The myportname ACL can be used to prevent bumping any traffic received in that Squid port. This avoids having to pre-know all the IPs Skype will use but is likewise more risky than allowing non-bumped access to a set of whitelisted IPs as non-Skype applications might also sneak traffic through the port. Amos
