[squid-users] Filtering HTTPS URLs

Victor Hugo fourtrials at gmail.com
Thu Feb 11 00:05:41 UTC 2016 

Hi,

I was wondering if it is possible to filter HTTPS URLs using squid (for
example to blacklist reddit.com but allow https://www.reddit.com/r/news/)?

I thought this may be possible using ssl_bump and url_regex. I have been
trying this using squid 3.5.13 but with no success.

Here is the squid configuration that I have tried but doesn't seem to work
(it works for http sites though):

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged)
machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager

acl whitelist-regex url_regex -i reddit.com/r/news
http_port 3129 ssl-bump cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl bump_sites ssl::server_name .reddit.com
ssl_bump bump bump_sites
ssl_bump splice !bump_sites
http_access allow whitelist-regex
http_access allow localhost
http_access deny all
coredump_dir /opt/squid-3.5.13/var/spool/squid3
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
pinger_enable off
Relevant access.log output (IP addresses redacted to x.x.x.x):
1455145755.589      0 x.x.x.x TCP_DENIED/200 0 CONNECT www.reddit.com:443 -
HIER_NONE/- -
1455145755.669      0 x.x.x.x TAG_NONE/403 4011 GET
https://www.reddit.com/r/news - HIER_NONE/- text/html
1455145755.782      0 x.x.x.x TCP_DENIED/200 0 CONNECT www.reddit.com:443 -
HIER_NONE/- -

I don't want to whitelist the dstdomain .reddit.com
(i.e whitelist-ssldomain dstdomain .reddit.com) as that would allow access
to all of the other subreddits.

Appreciate any help or suggestions you have. Thanks.

Victor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160211/4b5bdfff/attachment.html>

More information about the squid-users mailing list