On 05/26/2017 09:44 AM, Vieri wrote: > I know that in TLS traffic there are only IP addresses This is a gross exaggeration. The reality is much more nuanced. > I added mail.google.com to a custom file named "denied.domains" and loaded as denied_domains ACL in Squid. > [...] > acl denied_domains dstdomain "/usr/local/share/proxy-settings/denied.domains" > http_access deny denied_domains !allowed_groups !allowed_ips > http_access deny CONNECT denied_domains !allowed_groups !allowed_ips > [...] > reply_header_access Alternate-Protocol deny all > acl AllowTroublesome ssl::server_name .google.com .gmail.com > acl DenyTroublesome ssl::server_name mail.google.com > http_access deny DenyTroublesome > ssl_bump peek all > ssl_bump splice AllowTroublesome > ssl_bump bump all > First of all, I was expecting that if a client tried to open > https://mail.google.com, the connection would be blocked by Squid > (DenyTroublesome ACL). It isn't. Why? If a transaction is not blocked, then you have an http_access rule that allows it. You need to figure out which rule does that. You can figure that out by studying debugging logs, adding/logging annotate_transaction ACLs, and/or altering http_access rules. > Second, I am unable to scan content since Squid is splicing all > Google traffic. You told Squid to bump nothing because nothing can be bumped after "ssl_bump peek all". You may want to study the following wiki page, including definitions of actions such as "peek" and examples. http://wiki.squid-cache.org/Features/SslPeekAndSplice Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
