On 12/18/18 8:40 AM, Mike Quentel wrote: > ssl_bump peek step1 all > ssl_bump peek step2 tls_servers > ssl_bump splice step3 tls_servers > ssl_bump stare step2 > ssl_bump bump step3 > ssl_bump terminate step2 all Just FYI: The above should be equivalent to the following simpler, less misleading, and a bit faster configuration: ssl_bump peek step1 ssl_bump peek tls_servers ssl_bump stare all ssl_bump splice all ssl_bump bump all > attempting to access https://www.google.com will still download > the page (200). You have told Squid to allow that (and nearly every other) access: > http_access allow SSL_ports What you probably want is something like this: http_access deny CONNECT !SSL_ports http_access allow url_domains http_access allow tls_servers http_access deny all but if you add http_port (or do not want to trust Squid with enforcing connection pinning), then you will be better off with the default rules that also prohibit access to !Safe_ports. HTH, Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
