Hi, My goal is to set up Squid so it can act as a transparent proxy for local clients browsing the web. It should "deny all" except traffic to the destination domains included in an ACL file. This is my squid config: http_port 3129 tproxy https_port 3130 tproxy ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/ssl/squid/proxyserver.pem acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl intercepted myportname 3129 acl interceptedssl myportname 3130 acl allowed_domains dstdomain "/usr/local/share/proxy-settings/allowed.domains" http_access deny intercepted !localnet http_access deny interceptedssl !localnet http_access deny !allowed_domains http_access allow localnet sslcrtd_program /usr/libexec/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 16MB sslcrtd_children 10 ssl_bump stare all ssl_bump bump all sslproxy_cert_error allow all always_direct allow all The ACL file allowed.domains contains: .squid-cache.org .stackexchange.com When a client in localnet tries to access http://www.squid-cache.org, everything works fine, as expected. However, when the same client tries to access https://stackexchange.com, the first SQUID error page says that access is denied to https://151.101.1.69/* (that's one of stackexchange's IP addresses). How can I avoid this? If I add 151.101.1.69 to allowed.domains I get a SQUID SSL handshake error page with https://*.stackexchange.com/* (bad write retry). What am I doing wrong? Also, would I have performance issues if the "allowed.domains" ACL file becomes very big over time? Thanks, Vieri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
