On 20/02/2017 8:33 p.m., Test1964 wrote: > Hi, > > When I exclude some sites (like banks) with ssl_bump peek/splice that > works well, Got a new problem that > sites (that I exclude) can not be blocked using Url_Rewrite. > I use Url_rewrite to block sites based on User IP and all all other > sites(no in exclude list) it working very well. > > How to fix it? Or this another way to block excluded sites in ssl_bump > based on User IP? > Block things using an access control mechanism. That is what access controls (ACLs, http_access, deny_info) are for. If your blocking conditions are so complex or dynamic that Squid ACLs are not able to cope; then use an external_acl_type helper to give the allow/deny result and also consider if you can simplify the access policies. Do not use a URL routing mechanism to do 'access control' operation. Changing the destination of a message can *only* work if the relevant security is equivalent for both paths the message can take. re-write has the _appearance_ of working in HTTP because plain-text is built on complete trust of the proxy. HTTPS is not, it contains mechanisms to verify the honesty which is preventing your abuse of HTTP. NP: If you were doing a proper HTTP *redirect* (with appropriate 30x status codes) it would work, but still wrong to do access control that way. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
