On 05/15/2017 09:53 AM, Vieri wrote: > My goal is to set up Squid so it can act as a transparent proxy for > local clients browsing the web. It should "deny all" except traffic > to the destination domains included in an ACL file. > http_access deny intercepted !localnet > http_access deny interceptedssl !localnet > http_access deny !allowed_domains > http_access allow localnet ... > ssl_bump stare all > ssl_bump bump all > What am I doing wrong? You are denying fake CONNECT requests during SslBump step1. During that step, intercepted SSL connections are represented by fake CONNECT requests with IP addresses (not domain names). Such requests will often match your "http_access deny !allowed_domains" rule. See "Step 1" description at http://wiki.squid-cache.org/Features/SslPeekAndSplice What you probably want is to allow all reasonable fake CONNECT requests during that step. There are several ways to do that, and I hope others on the list can help you with that if you cannot figure it out. Please do not forget to post your Squid version if you need further help (and use the latest v3.5 or later if you are doing SslBump, regardless of what your OS packages for you). Some other configuration aspects are (or may be considered by some) wrong as well, but it is best to fix one SslBump problem at a time IMHO. > Also, would I have performance issues if the "allowed.domains" ACL > file becomes very big over time? Naturally, the more domains you have, the slower ACL checks become. 1000 domains is not a problem, but 1000 million domains usually is. Define "very big" and "performance issues". HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
