Hi have spent two days googling and going through these forums and have not been able to get https filtering working. I am new to all of this kind of networking stuff. So i do need a lot of help :) I have a gateway machine which is my rotuer. On this same gateway i have squid and qlproxy installed. I want to be able to filter on both http and https. Only http filtering works now, but not https. So i am not able to make google default to safe search. I am going to paste my configuration files, so my apologies for the long files. My squid.conf is acl localnet src 192.168.13.0/24 acl localnet src 127.0.0.1/8 acl wanip src 97.90.225.128 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 8080 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access deny !Safe_ports http_access allow CONNECT SSL_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access deny to_localhost http_access allow localnet http_access allow wanip http_access allow localhost http_access deny all http_port 192.168.13.1:3128 http_port 192.168.13.1:3129 intercept https_port 192.168.13.1:3130 intercept ssl-bump cert=/etc/squid/myCA.pem acl qlproxy_https_exclusions dstdomain "/etc/opt/quintolabs/qlproxy/squid/https_exclusions.conf" acl qlproxy_https_targets dstdomain "/etc/opt/quintolabs/qlproxy/squid/https_targets.conf" ssl_bump none localhost ssl_bump server-first qlproxy_https_targets always_direct allow all cache_dir ufs /var/spool/squid 100 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 icap_enable on icap_preview_enable on icap_preview_size 4096 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username icap_service qlproxy1 reqmod_precache 0 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache 0 icap://127.0.0.1:1344/respmod adaptation_access qlproxy1 allow all adaptation_access qlproxy2 allow all my iptables are # Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014 *nat :PREROUTING ACCEPT [683:114416] :INPUT ACCEPT [477:31902] :OUTPUT ACCEPT [441:27340] :POSTROUTING ACCEPT [2:176] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_external - [0:0] :POST_external_allow - [0:0] :POST_external_deny - [0:0] :POST_external_log - [0:0] :POST_internal - [0:0] :POST_internal_allow - [0:0] :POST_internal_deny - [0:0] :POST_internal_log - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_external - [0:0] :PRE_external_allow - [0:0] :PRE_external_deny - [0:0] :PRE_external_log - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o p6p1 -g POST_internal -A POSTROUTING_ZONES -o p2p1 -g POST_external -A POSTROUTING_ZONES -g POST_public -A POST_external -j POST_external_log -A POST_external -j POST_external_deny -A POST_external -j POST_external_allow -A POST_external_allow ! -i lo -j MASQUERADE -A POST_internal -j POST_internal_log -A POST_internal -j POST_internal_deny -A POST_internal -j POST_internal_allow -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A POST_public_allow ! -i lo -j MASQUERADE -A PREROUTING_ZONES -i p6p1 -g PRE_internal -A PREROUTING_ZONES -i p2p1 -g PRE_external -A PREROUTING_ZONES -g PRE_public -A PREROUTING_direct -i p6p1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.13.1:3129 -A PREROUTING_direct -i p6p1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.13.1:3130 -A PREROUTING_direct -i p2p1 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3130 -A PREROUTING_direct -i p2p1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3129 -A PRE_external -j PRE_external_log -A PRE_external -j PRE_external_deny -A PRE_external -j PRE_external_allow -A PRE_external_allow -p tcp -m mark --mark 0x64 -j DNAT --to-destination 192.168.13.108:22 -A PRE_external_allow -p tcp -m mark --mark 0x65 -j DNAT --to-destination 192.168.13.107:22 -A PRE_external_allow -p tcp -m mark --mark 0x66 -j DNAT --to-destination 192.168.13.104:5000-5020 -A PRE_external_allow -p tcp -m mark --mark 0x67 -j DNAT --to-destination 192.168.13.105:22 -A PRE_external_allow -p tcp -m mark --mark 0x68 -j DNAT --to-destination 192.168.13.109:22 -A PRE_external_allow -p tcp -m mark --mark 0x69 -j DNAT --to-destination 192.168.13.104:22 -A PRE_external_allow -p tcp -m mark --mark 0x6a -j DNAT --to-destination 192.168.13.106:22 -A PRE_external_allow -p udp -m mark --mark 0x6b -j DNAT --to-destination 192.168.13.104:5000-5020 -A PRE_external_allow -p tcp -m mark --mark 0x6c -j DNAT --to-destination 192.168.13.102:22 -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Mon Jun 9 20:03:48 2014 # Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014 *mangle :PREROUTING ACCEPT [209855:83194674] :INPUT ACCEPT [163899:49094240] :FORWARD ACCEPT [45956:34100434] :OUTPUT ACCEPT [164192:62941135] :POSTROUTING ACCEPT [210148:97041569] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_external - [0:0] :PRE_external_allow - [0:0] :PRE_external_deny - [0:0] :PRE_external_log - [0:0] :PRE_internal - [0:0] :PRE_internal_allow - [0:0] :PRE_internal_deny - [0:0] :PRE_internal_log - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i p6p1 -g PRE_internal -A PREROUTING_ZONES -i p2p1 -g PRE_external -A PREROUTING_ZONES -g PRE_public -A PRE_external -j PRE_external_log -A PRE_external -j PRE_external_deny -A PRE_external -j PRE_external_allow -A PRE_external_allow -p tcp -m tcp --dport 2082 -j MARK --set-xmark 0x64/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2072 -j MARK --set-xmark 0x65/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 5000:5020 -j MARK --set-xmark 0x66/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2052 -j MARK --set-xmark 0x67/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2092 -j MARK --set-xmark 0x68/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2042 -j MARK --set-xmark 0x69/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2062 -j MARK --set-xmark 0x6a/0xffffffff -A PRE_external_allow -p udp -m udp --dport 5000:5020 -j MARK --set-xmark 0x6b/0xffffffff -A PRE_external_allow -p tcp -m tcp --dport 2022 -j MARK --set-xmark 0x6c/0xffffffff -A PRE_internal -j PRE_internal_log -A PRE_internal -j PRE_internal_deny -A PRE_internal -j PRE_internal_allow -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Mon Jun 9 20:03:48 2014 # Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014 *security :INPUT ACCEPT [162157:48535784] :FORWARD ACCEPT [45956:34100434] :OUTPUT ACCEPT [164192:62941135] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Jun 9 20:03:48 2014 # Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014 *raw :PREROUTING ACCEPT [209855:83194674] :OUTPUT ACCEPT [164192:62941135] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Mon Jun 9 20:03:48 2014 # Generated by iptables-save v1.4.19.1 on Mon Jun 9 20:03:48 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [164192:62941135] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_external - [0:0] :FWDI_external_allow - [0:0] :FWDI_external_deny - [0:0] :FWDI_external_log - [0:0] :FWDI_internal - [0:0] :FWDI_internal_allow - [0:0] :FWDI_internal_deny - [0:0] :FWDI_internal_log - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_external - [0:0] :FWDO_external_allow - [0:0] :FWDO_external_deny - [0:0] :FWDO_external_log - [0:0] :FWDO_internal - [0:0] :FWDO_internal_allow - [0:0] :FWDO_internal_deny - [0:0] :FWDO_internal_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_external - [0:0] :IN_external_allow - [0:0] :IN_external_deny - [0:0] :IN_external_log - [0:0] :IN_internal - [0:0] :IN_internal_allow - [0:0] :IN_internal_deny - [0:0] :IN_internal_log - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -p icmp -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -p icmp -j ACCEPT -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i p6p1 -g FWDI_internal -A FORWARD_IN_ZONES -i p2p1 -g FWDI_external -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o p6p1 -g FWDO_internal -A FORWARD_OUT_ZONES -o p2p1 -g FWDO_external -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_external -j FWDI_external_log -A FWDI_external -j FWDI_external_deny -A FWDI_external -j FWDI_external_allow -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x64 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x65 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x66 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x67 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x68 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x69 -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6a -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6b -j ACCEPT -A FWDI_external_allow -m conntrack --ctstate NEW -m mark --mark 0x6c -j ACCEPT -A FWDI_internal -j FWDI_internal_log -A FWDI_internal -j FWDI_internal_deny -A FWDI_internal -j FWDI_internal_allow -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDO_external -j FWDO_external_log -A FWDO_external -j FWDO_external_deny -A FWDO_external -j FWDO_external_allow -A FWDO_external_allow -j ACCEPT -A FWDO_internal -j FWDO_internal_log -A FWDO_internal -j FWDO_internal_deny -A FWDO_internal -j FWDO_internal_allow -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A FWDO_public_allow -j ACCEPT -A INPUT_ZONES -i p6p1 -g IN_internal -A INPUT_ZONES -i p2p1 -g IN_external -A INPUT_ZONES -g IN_public -A INPUT_direct -s 192.168.13.0/24 -p tcp -m tcp --dport 3129 -j ACCEPT -A INPUT_direct -s 192.168.13.0/24 -p tcp -m tcp --dport 3130 -j ACCEPT -A IN_external -j IN_external_log -A IN_external -j IN_external_deny -A IN_external -j IN_external_allow -A IN_external_allow -p tcp -m tcp --dport 2012 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal -j IN_internal_log -A IN_internal -j IN_internal_deny -A IN_internal -j IN_internal_allow -A IN_internal_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 5900:5903 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 67 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 2032 -m conntrack --ctstate NEW -j ACCEPT -A IN_internal_allow -p tcp -m tcp --dport 10000 -m conntrack --ctstate NEW -j ACCEPT -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Mon Jun 9 20:03:48 2014 can someone please help. -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-with-qlproxy-on-fedora-20-not-working-for-https-traffic-tp4666277.html Sent from the Squid - Users mailing list archive at Nabble.com.
