On 7/31/19 10:44 PM, johnr wrote: > acl CONNECT method CONNECT > acl to_bad_ip dst 55.55.2.3 > http_access deny CONNECT to_bad_ip > In the above squid config, if I were to try go to https://55.55.2.3:443 I > would get an ACCESS DENIED but squid would not block the CONNECT (it would > respond to 200) and then block the subsequent HTTP request. Yes, that is (currently) intentional. > Is it possible to tell squid to block the CONNECT? Not for connections that are subject to SslBump processing AFAIK. There is a known need for a feature that would make such bumping-to-deliver-CONNECT-error optional, but that feature has not been sponsored or donated yet (and its design may require a preliminary discussion on squid-dev). If I am not missing any workarounds, then your options are outlined at https://wiki.squid-cache.org/SquidFaq/AboutSquid#How_to_add_a_new_Squid_feature.2C_enhance.2C_of_fix_something.3F > I do server-first SSL bump so if I don't block the CONNECT squid will > reach out to the upstream server which I don't want it to do. Yes, that is one of the reasons why folks want to make bumping-to-deliver-CONNECT-error optional. > I know this would make it impossible to serve the block page > and have the browser show an error but I don't mind about that. Yes, thank you for disclosing that understanding. Alex. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
