[squid-users] Blocking CONNECT
rousskov at measurement-factory.com
Thu Aug 1 03:08:19 UTC 2019
On 7/31/19 10:44 PM, johnr wrote:
> acl CONNECT method CONNECT
> acl to_bad_ip dst 188.8.131.52
> http_access deny CONNECT to_bad_ip
> In the above squid config, if I were to try go to https://184.108.40.206:443 I
> would get an ACCESS DENIED but squid would not block the CONNECT (it would
> respond to 200) and then block the subsequent HTTP request.
Yes, that is (currently) intentional.
> Is it possible to tell squid to block the CONNECT?
Not for connections that are subject to SslBump processing AFAIK. There
is a known need for a feature that would make such
bumping-to-deliver-CONNECT-error optional, but that feature has not been
sponsored or donated yet (and its design may require a preliminary
discussion on squid-dev). If I am not missing any workarounds, then your
options are outlined at
> I do server-first SSL bump so if I don't block the CONNECT squid will
> reach out to the upstream server which I don't want it to do.
Yes, that is one of the reasons why folks want to make
> I know this would make it impossible to serve the block page
> and have the browser show an error but I don't mind about that.
Yes, thank you for disclosing that understanding.
More information about the squid-users