[squid-users] Stuck Filtering HTTPS URL

Alex Rousskov rousskov at measurement-factory.com
Mon Aug 12 20:31:38 UTC 2019

On 8/12/19 3:16 PM, Garbacik, Joe wrote:
> I am trying to permit access to something like the following,
> https://www.example.com/world, without providing access to the whole site.

> 2019/08/12 10:40:29.081 kid1| 33,4| client_side.cc(1471) quitAfterError: Will close after error:...

> HTTP/1.1 403 Forbidden

> http_access allow SrcSubnet DSTDOMAIN_ALLOW URLPATH_ALLOW

You are probably (implicitly) denying the CONNECT request sent by client
to Squid. Squid needs to process that CONNECT request (that does not
have URL paths) before Squid can bump the TLS tunnel (and see in-tunnel
requests with URLs that have paths). If you deny CONNECT, Squid will
bump the client connection and respond with a (delayed) "access denied"
error to the first in-tunnel request, regardless of what that first
in-tunnel request is.

Rule of thumb: Make everything work, including SslBump, _before_
applying custom filtering rules.


More information about the squid-users mailing list