[squid-users] Blocking CONNECT

Alex Rousskov rousskov at measurement-factory.com
Thu Aug 1 03:08:19 UTC 2019

On 7/31/19 10:44 PM, johnr wrote:

> acl CONNECT method CONNECT
> acl to_bad_ip dst
> http_access deny CONNECT to_bad_ip

> In the above squid config, if I were to try go to I
> would get an ACCESS DENIED but squid would not block the CONNECT (it would
> respond to 200) and then block the subsequent HTTP request.

Yes, that is (currently) intentional.

> Is it possible to tell squid to block the CONNECT?

Not for connections that are subject to SslBump processing AFAIK. There
is a known need for a feature that would make such
bumping-to-deliver-CONNECT-error optional, but that feature has not been
sponsored or donated yet (and its design may require a preliminary
discussion on squid-dev). If I am not missing any workarounds, then your
options are outlined at


> I do server-first SSL bump so if I don't block the CONNECT squid will
> reach out to the upstream server which I don't want it to do.

Yes, that is one of the reasons why folks want to make
bumping-to-deliver-CONNECT-error optional.

> I know this would make it impossible to serve the block page
> and have the browser show an error but I don't mind about that.  

Yes, thank you for disclosing that understanding.


More information about the squid-users mailing list