[squid-users] Squid Version 3.5.20

Tue Jun 27 15:37:25 UTC 2017

Well, I know that issue very good and google is the issue since they should put their captcha on a own subdomain. Then we could effectivley allow only the access to the captcha.

Until that there is no good way to achive this. But there is a non reliable way of blocking google.com

First allow the Connect method for google.com
Acl CONNECT method CONNECT
acl sslconnect dstdomain -i www.google.com
http_access allow CONNECT sslconnect
Then use an url regex and allow google.com/recaptcha

This way sometimes www.google.com is blocked, sometimes not. But access to recaptcha will always work.

Why we can't block it reliable? Well when   browser/client wants to connect to  https website then the firsr thing the browser trie is open a ssl tunnel to the FQDN
As soon as the tunnel is up it will request the ressource. May it helps if you add a url regex deny between allowing the connect method and allowing the url www.google.com/recaptcha

Written on  my mobile..

Br,
Flashdown

Am 27. Juni 2017 17:07:19 MESZ schrieb "Cherukuri, Naresh" <ncherukuri at partycity.com>:
>Hi Eliezer,
>
>We successfully blocked gmail, google images, google drive and rest all
>google related. Now we allowing www.google.com and www.
>google/Recaptcha. We still need to block www.google.com and just allow
>www.google/recaptcha. Is there a way to do that?
>
>Appreciate your quick turnover!
>
>Thanks&Regards,
>Naresh
>
> 
>-----Original Message-----
>From: Eliezer Croitoru [mailto:eliezer at ngtech.co.il] 
>Sent: Tuesday, June 27, 2017 10:16 AM
>To: Cherukuri, Naresh; squid-users at lists.squid-cache.org
>Subject: RE: [squid-users] Squid Version 3.5.20
>
>Hey,
>
>I can try to help you but I do not have enough logs for it.
>Also it's not so simple.
>Basically you will need to block gmail and google drive themselves in
>one rule that will not include other google services.
>
>All The Bests,
>Eliezer
>
>----
>http://ngtech.co.il/lmgtfy/
>Linux System Administrator
>Mobile: +972-5-28704261
>Email: eliezer at ngtech.co.il
>
>
>From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On
>Behalf Of Cherukuri, Naresh
>Sent: Friday, June 23, 2017 23:34
>To: squid-users at lists.squid-cache.org
>Subject: [squid-users] Squid Version 3.5.20
>
>Hello All,
>
>I installed Squid version 3.5.20 on RHEL 7 and generated selfsigned CA
>certificates, can you shed some light on how to "Configure regular
>expression of the Google ReCaptcha URL with ACL".
>
>My requirement :
>
>This requirement is to allow Google's ReCaptcha URL (HTTPS) so
>associates can successfully use ADP which now utilizes Google's
>ReCaptcha which is called via an HTTPS URL, without allowing users to
>access other Google-related services such as Gmail or Google Drive.
>
>Any ideas much appreciated!
>
>Thanks,
>Naresh
>
>_______________________________________________
>squid-users mailing list
>squid-users at lists.squid-cache.org
>http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170627/6b153a4c/attachment.html>