[squid-users] How to terminate (close) the active CONNECT connection when matching ACL.

yuriang yuriang at ltu.sld.cu
Wed May 10 14:27:33 UTC 2017

How to terminate (close) the active CONNECT connection when matching ACL.

I have worked on version 3.5.23 on Debian 9.0, I use user authentication in addition to ACL to filter IP, MAC, all this works correctly. I have an ACL of type proxy_auth (quota_end) that contains a list of users that have exceeded a certain quota, which I deny to prohibit the user to continue the connection after having consumed its quota, that is to say when it is added to the aforementioned list . This works correctly for HTTP connections but not for HTTPS connections, these links remain active until the user performs an update to the page (press F5). Not so new HTTPS links if they are denied.
My question: Is there a way to terminate (close) the user's active HTTPS connection after matching the proxy_auth ACL (quota_end).

For more information here is my configuration, I manage several subnets, but I will only put one as an example:

Acl authentication proxy_auth REQUIRED

# - (quota_end) Contains the users who consumed the assigned quota, it is used to deny the
# - browsing these users and displaying the quota page exceeded.
Acl quota_end proxy_auth "/ etc / squid / users / quota_end"

Acl ip_ucm src "/etc/squid/redes_permitidas/ip_ucm.txt"
Acl mac_ucm arp "/ etc / squid / allowed_networks / mac_ucm.txt"

Acl SSL_ports port 443 # https |
Acl SSL_ports port 563 # snews |
Acl SSL_ports port 873 # rsync |
Acl SSL_ports port 2187 # Iluminate |
Acl Safe_ports port 80 # http |
Acl Safe_ports port 21 # ftp |
Acl Safe_ports port 443 # https |
Acl Safe_ports port 70 # gopher |
Acl Safe_ports port 210 # wais |
Acl Safe_ports port 1025-65535 # unregistered ports
Acl Safe_ports port 280 # http-mgmt |
Acl Safe_ports port 488 # gss-http |
Acl Safe_ports port 591 # filemaker |
Acl Safe_ports port 777 # multilingual http
Acl Safe_ports port 631 # cups |
Acl Safe_ports port 873 # rsync |
Acl Safe_ports port 901 # SWAT |
Acl Safe_ports port 8888 # IRC |
Acl Safe_ports port 2187 # Iluminate |
Acl Safe_ports port 25 # smtp |
Acl Safe_ports port 110 # pop3 |


# Deny requests to certain unsafe ports
Http_access deny! Safe_ports

# Deny CONNECT to other than secure SSL ports
Http_access deny CONNECT! SSL_ports

# Only allow cachemgr access from localhost
Http_access allow localhost manager
Http_access deny manager

Http_access deny quota_end

Http_access allow ip_ucm mac_ucm authentication! Quota_end

# And finally deny all other access to this proxy
Http_access deny all

Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

More information about the squid-users mailing list