Thanks to Alex Rousskov's excellent explanation in http://squid-web-proxy-cache.1019090.n4.nabble.com/Cannot-configure-squid-4-6-to-splice-without-bumping-td4688482.html, I have been able to set up Squid as a transparent proxy that splices HTTPS connections. I want to set up a whitelist. First, I tried to configure SquidGuard but I couldn't find a way to pass the servername to SquidGuard when connections were spliced. So now I'm trying to use ACLs to whitelist by hostname. acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested But I can't get it to work.The logs appeared to indicate that URLs in the whitelist were first denied then bumped: 14/Nov/2019:08:46:25 -0800 192.168.2.43 TCP_DENIED/- 0 CONNECT 104.17.67.73:443 - HIER_NONE/- - www.headroyce.org 14/Nov/2019:08:46:25 -0800 192.168.2.43 NONE/- 3793 GET https://www.headroyce.org/ - HIER_NONE/- text/html www.headroyce.org I think that the ACLs are trying to match a spliced connection against the IP address rather than SNI server name. Any idea what I'm doing wrong here? I'd also like to present a good error message if the outcome is denied, and never bump connections. My config is: acl CONNECT method CONNECT acl whitelist ssl::server_name "/etc/squid/whitelist.txt" --client-requested http_access allow whitelist http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager include /etc/squid/conf.d/* http_access allow localhost http_access deny all http_port 3127 http_port 3128 intercept https_port 3129 intercept ssl-bump tls-cert=/etc/squid/ssl_cert/myCA.pem tls-key=/etc/squid/ssl_cert/myCA.pem ssl_bump peek all ssl_bump splice all logformat sslbump %tl %>a %Ss/%03<Hs %<st %rm %>ru %[un %Sh/%<a %mt %ssl::>sni access_log daemon:/var/log/squid/access.log sslbump debug_options ALL,3 28,9 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
