[squid-users] Blocking Chrome and QUIC

Luis Miguel Silva luismiguelferreirasilva at gmail.com
Sun Feb 8 06:38:40 UTC 2015 

FYI, I finally solved my problem!

It turns out the problem was with PRE-ESTABLISHED connections...

In other words, when I turned on my transparent rules, any Chrome tabs I
had opened BEFORE turning on my transparent proxy rules, apparently would
communicate over a previously opened socket! So the filtering rules would
only apply after the port was closed OR after I reopened the browser.

In order to solve it, I simply had to add a FORWARD drop rule for any
established connections:
iptables -A FORWARD -p tcp -m tcp --dport 80 -m state --state
RELATED,ESTABLISHED -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 443 -m state --state
RELATED,ESTABLISHED -j DROP

Hope this will be helpful to someone else!
Luis



On Sat, Feb 7, 2015 at 8:28 PM, Luis Miguel Silva <
luismiguelferreirasilva at gmail.com> wrote:

> Ok, I'm using 3.4.9, so I've added that config option to my setup :o)
>
> Thanks for the tip!
> Luis
>
> On Sat, Feb 7, 2015 at 6:11 PM, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> On 8/02/2015 5:34 a.m., Luis Miguel Silva wrote:
>> > I did when you sent it but it seemed to me you were saying I should add
>> > that "reply_header_access Alternate-Protocol deny all" config parameter
>> > but, on the other hand, I didn't understand why were you suggesting
>> that,
>> > seeing that my problem is that Chrome doesn't go through my proxy at
>> all!
>> > (I'm doing transparent proxying, NOT setting up a proxy in Chrome).
>> >
>> > I've now re-read your email and it seemed you were telling me to
>> upgrade to
>> > 3.5.x (which I hadn't understood the last time I read your email). I
>> > apologize that I didn't understand what you were saying.
>> >
>>
>> No wrries. I was saying both.
>>
>> > So are you saying I must upgrade to Squid 3.5.x to fix this? Why would
>> that
>> > header fix it, seeing that my problem is that Chrome is bypassing the
>> proxy
>> > altogether?
>>
>> The web server actively tells Chrome to use QUIC on future requests.
>> Remove that header from traffic and Chrome stops using QUIC (maybe
>> requires Chrome restart).
>>
>> The removal is built into 3.4.10+ by default, but the config line I
>> presented does the same thing in older versions back to 3.2.
>>
>> Amos
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150207/18fee20e/attachment.html>

More information about the squid-users mailing list