Please bear with me because I still don't quite grasp the AND logic with ACLs. Let's consider the logic "http_access deny (if) X (and) Y (and) Z" and the following squid configuration section: [squid.conf - start] acl denied_restricted1_mimetypes_req req_mime_type -i "/usr/local/proxy-settings/denied.restricted1.mimetypes" acl denied_restricted1_mimetypes_rep rep_mime_type -i "/usr/local/proxy-settings/denied.restricted1.mimetypes" acl allowed_restricted1_domains dstdomain -i "/usr/local/proxy-settings/allowed.restricted1.domains" acl allowed_restricted1_ips dst "/usr/local/proxy-settings/allowed.restricted1.ips" http_access deny denied_restricted1_mimetypes_req !allowed_restricted1_domains !allowed_restricted1_ips http_reply_access deny denied_restricted1_mimetypes_rep !allowed_restricted1_domains !allowed_restricted1_ips http_access deny intercepted !localnet http_access allow localnet http_access deny all [squid.conf - finish] In particular: http_reply_access deny (if) denied_restricted1_mimetypes_rep (and not) allowed_restricted1_domains (and not) allowed_restricted1_ips where denied_restricted1_mimetypes_rep: matches mime type application/octet-stream allowed_restricted1_domains: matches DESTINATION domain .telegram.org allowed_restricted1_ips: matches DESTINATION IP addresses (any one of 149.154.167.91 or 149.154.165.120) So, it should translate to something like this: http_reply_access deny (if) (mime type is application/octet-stream) (and) (DESTINATION domain is NOT .telegram.org) (and) (DESTINATION IP address is NOT any of 149.154.167.91 or 149.154.165.120) Correct? If so, then I'm still struggling to understand the first message in the log: "The reply for POST http://149.154.165.120/api is DENIED, because it matched allowed_restricted1_ips" I don't think "the server's reply (application/octet-stream) should be denied" if it comes from one of 149.154.167.91 or 149.154.165.120. Anyway, I'll try out the configuration directives you suggested and see if that logic applies correctly (at least to my undertsanding ;-) ). Thanks for your valuable help, Vieri _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users