[squid-users] How to completely blacklist a domain + subdomains, including HTTPS?
roeeklinger60 at gmail.com
Wed Mar 10 12:28:57 UTC 2021
I tried implementing the configuration you suggested but I am getting an
FATAL: Invalid ACL type 'ssl::server_name'
FATAL: Bungled /etc/squid/squid.conf line 36: acl server_blacklist
I tried reading the documentation but can't find anything wrong in my
config file, I used the 2 lines exactly like they are in your suggestion,
and I am running Squid 4.10.
On Tue, Mar 9, 2021 at 2:48 PM Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 10/03/21 12:57 am, roee klinger wrote:
> > Hey,
> > I have found a lot of outdated or conflicting information about this
> > online, and since this is a really important matter, I wanted to make
> > sure I am doing this correctly.
> > I am attempting to block some websites completely, including all HTTPS
> > traffic and subdomains.
> Basically there are two protocols that need to be considered for this.
> HTTP and TLS.
> In HTTP the "website" is identified by a domain name in the
> request-target (aka URI, sometimes called URL).
> * The 'dstdomain' ACL type matches URI domain name.
> * The http_access directive is where that domain name becomes
> available for Squid to check.
> In TLS the "website" is identified by the TLS SNI sent by the client, or
> a field in the server X.509 certificate.
> * The 'ssl::server_name' ACL type matches those details.
> * The ssl_bump directive
> Next thing is to be aware that there are many ways to layer protocols.
> Do expect to see vastly different proxy behaviours for each permutation
> of those.
> * port 443 "HTTPS" is TLS then HTTP
> * port 80 "HTTPS" is HTTP then TLS (quite rare)
> * forward-proxy "HTTPS" is HTTP then TLS then HTTP
> > Squid.conf:
> > acl domain_blacklist dstdomain "/etc/squid/domain_blacklist.txt"
> > http_access deny all domain_blacklist
> The "all" here is pointless.
> > http_reply_access deny domain_blacklist
> Use of reply access directive for blacklisting by request details is not
> The request already got blocked. So any response reaching here is just
> the error page saying forbidden. Blocking that error page would just
> change it to a slightly different error page saying the *response* was
> forbidden - which is a bit confusing for any user trying to understand
> why their request didn't work.
> > http_access deny CONNECT domain_blacklist
> This line is useless here.
> squid.conf lines are interpreted top-down. The "deny all
> domain_blacklist" already stopped all requests that could possibly match
> the second condition of this line.
> > /etc/squid/domain_blacklist.txt:
> > .ph
> > .somepornwebsite.com
> > .facebook.com
> > Am I doing this the right way?
> Sort of. Your http_access denial will catch all the HTTP and decrypted
> HTTP(S) traffic. It will not be able to block any HTTP(S) requests that
> are not able to decrypt.
> To catch and block these domains without needing the decrypt you should
> also use:
> acl server_blacklist ssl::server_name "/etc/squid/domain_blacklist.txt"
> ssl_bump terminate server_blacklist
> Of course there is always the failure case where traffic cannot decrypt
> and the TLS details use different server names.
> squid-users mailing list
> squid-users at lists.squid-cache.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the squid-users