[squid-users] How to block a https website with squid 3.5.3

minh hưng đỗ hoàng hoangminhung at gmail.com
Thu Jan 11 10:39:04 UTC 2018 

Dear all, i using squid as a transparent proxy. But i can't deny a https
website like
https://remitano.com

My squid is compiled on ubuntu14 with this configure option
Squid Cache: Version 3.5.3
Service Name: squid
configure options:  '--prefix=/usr' '--includedir=/usr/include'
'--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var'
'--libexecdir=/usr/lib/squid' '--srcdir=.' '--datadir=/usr/share/squid'
'--sysconfdir=/etc/squid' '--mandir=/usr/share/man' '--enable-inline'
'--enable-async-io=24' '--enable-storeio=ufs,aufs,diskd,rock'
'--enable-removal-policies=lru,heap' '--enable-gnuregex'
'--enable-cache-digests' '--enable-underscores' '--enable-icap-client'
'--enable-follow-x-forwarded-for' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-http-violations'
'--enable-ssl-crtd' '--enable-linux-netfilter' '--enable-ltdl-install'
'--enable-ltdl-convenience' '--enable-x-accelerator-vary'
'--disable-maintainer-mode' '--disable-dependency-tracking'
'--disable-silent-rules' '--disable-translation' '--disable-ipv6'
'--disable-ident-lookups' '--enable-delay-pools'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-aufs-threads=24'
'--with-filedescriptors=65536' '--with-large-files' '--with-maxfd=65536'
'--with-openssl' '--with-default-user=proxy' '--with-included-ltdl'

And here is my squid.conf

acl localnet src 192.168.10.0/24 #LAN
acl localnet src 10.10.10.0/24 #WIFI
acl localnet src 10.10.20.0/24 #WIFI
acl localnet src 172.18.18.0/24 #WIFI
acl localnet src 172.17.0.0/16
acl localnet src 10.10.1.0/24

acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https


acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all


acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blockregexurl
ssl_bump terminate domain
ssl_bump terminate block_domain
ssl_bump splice all


sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher
ALL:!SSLv2:!SSLv3:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
sslproxy_cert_error deny all
sslproxy_flags  DONT_VERIFY_PEER
sslproxy_cafile /etc/squid/intermediate_ca.pem

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

-----------------------
First , i can block facebook by use this command :
acl facebook dstdomain .facebook.com
http_access deny CONNECT facebook

But it is not effect with https://remitano.com

I try to use these command but it's not work:

acl blockregexurl url_regex -i ^http[s]?:\/\/.*\.remitano\.com\/(/vn)
http_access deny blockregexurl
http_access deny CONNECT blockregexurl

acl block_domain dstdomain remitano.com
acl domain dstdomain sso.remitano.com socket.remitano.com cdn.remitano.com
http_access deny block_domain
http_access deny CONNECT block_domain
http_access deny domain
http_access deny CONNECT domain


-- 
Thanks & Best Regards,
--------------
Đỗ Hoàng Minh Hưng
Gmail : hoangminhung at gmail.com
SĐT : 01234454115
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180111/675e88c6/attachment.html>

More information about the squid-users mailing list