On 04/17/2017 10:55 AM, Shanmugam Sundaram wrote: > The goal is to splice only whitelist (github.com) and terminate all > other domains. FYI: I do not know what you mean by "terminate", but if you mean "close the client-to-Squid connection _without_ serving a Squid-generated error response to the user", then your ssl_bump configuration does not reflect your intent. It is easier to terminate non-github connections than to respond with blocking error messages to non-github requests. > acl http_whitelist dstdomain .github.com > acl whitelist ssl::server_name .github.com > http_access allow http_whitelist localnet > http_access deny all > > acl step1 at_step SslBump1 > ssl_bump peek step1 > ssl_bump splice whitelist > ssl_bump bump all Your Squid probably denies the fake CONNECT request during step1 (before looking up SNI during step2). That fake CONNECT does not (and cannot) have a host name (because you intercept) so it does not match your "http_whitelist" ACL in the "http_access allow" rule quoted above, following through to the "deny all" rule that always matches. An access log may be used to confirm or descard the above theory. This is why I have asked you about access log records in my previous email. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
