I have enabled debugging and found something quite strange. In order to better debug I have limited the whitelist to two domains, one HTTP and one with HTTPS: acl whitelist ssl::server_name .ubuntu.com .sundkat.dk When I go to http://www.sundkat.dk, which is a HTTP domain, I get the following: 2018/05/14 02:42:49.859 kid1| 85,2| src/client_side_request.cc(745) clientAccessCheckDone: The request GET http://www.sundkat.dk/ is ALLOWED; last ACL checked: whitelist But when I go to https://www.ubuntu.com, I get the following: 2018/05/14 02:43:44.262 kid1| 85,2| src/client_side_request.cc(745) clientAccessCheckDone: The request CONNECT 91.189.89.103:443 is DENIED; last ACL checked: all It's like when the traffic is HTTP the whitelist is working, but when the traffic is HTTPS the whitelist isn't working. But this is ONLY for the "windows_boxes", for everything else it's working as it should. I don't understand what's going on here. I am re-posting my entire squid.conf here again just to keep things complete: <SNIP> debug_options ALL,2 max_filedesc 4096 acl step1 at_step SslBump1 acl localnet src 192.168.1.2-192.168.1.200 # These boxes may ONLY access the whitelist. acl windows_boxes src 192.168.1.201 192.168.1.202 acl whitelist ssl::server_name .ubuntu.com .sundkat.dk # We don't want these to be cached. store_miss deny whitelist # Don't let SquidGuard do anything with the whitelisted domains. url_rewrite_access deny whitelist # We only redirect HTTP and HTTPS. acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 443 # https acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # THIS ISN'T WORKING!!! http_access allow windows_boxes whitelist http_access allow localhost http_access allow localnet http_access deny all # We'll intercept trafic using PF from clan. http_port 127.0.0.1:3129 intercept https_port 127.0.0.1:3130 intercept ssl-bump cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslproxy_cafile /usr/local/openssl/cabundle.file # Become a TCP tunnel without decrypting proxied traffic for the whitelist. ssl_bump splice whitelist ssl_bump peek step1 ssl_bump bump all # We want the query strings as well. strip_query_terms off # Leave coredumps in the first cache dir coredump_dir /var/squid/cache redirect_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf </SNIP> Kind regards. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
