<div dir="ltr"><div>Hi<br></div> Below is my squid file , I have configured squid 3.5.3
with ssl, but I cant filter https traffic and also in access log I cant
see https in access logs.<br><br><br><div>#<br># Recommended minimum configuration:<br>#<br> <br># Example rule allowing access from your local networks.<br># Adapt to list your (internal) IP networks from where browsing<br># should be allowed<br>acl localnet src 116.72.152.37 <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> # Sesuaikan dengan ip client/local<span class="im"><br> <br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br></span># storeid *test*<br>acl urlrewrite dstdomain .<a href="http://fbcdn.net" target="_blank">fbcdn.net</a> .<a href="http://akamaihd.net" target="_blank">akamaihd.net</a><br>acl speedtest url_regex -i speedtest\/.*\.(jpg|txt)\?.*<br>acl reverbnation url_regex -i reverbnation.*audio_player.*ec_stream_song.*$<br>acl utmgif url_regex -i utm.gif.*<br>acl playstoreandroid url_regex -i c.android.clients.google.com.market.GetBinary.GetBinary.*<br>acl idyoutube url_regex -i youtube.*(ptracking|stream_204|player_204).*(v\=|docid\=|video_id\=).*$<br>acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\?<br>acl videoyoutube url_regex -i (youtube|googlevideo).*videoplayback\?<br>acl CONNECT method CONNECT<br>acl getmethod method GET<br>acl loop_302 http_status 302<br>acl step1 at_step SslBump1<br>acl youtube dstdomain .<a href="http://youtube.com" target="_blank">youtube.com</a><br>acl blocksites dstdomain "/etc/squid/restricted-sites.squid"<br># TAG: QUERY<br># -----------------------------------------------------------------------------<br>acl QUERY urlpath_regex -i (hackshield|blank.html|infinity.js|hshield.da|renew_session_token.php|recaptcha.js|dat.asp|notice.swf|patchlist.txt|hackshield|captcha|reset.css|update.ver|notice.html|updates.txt|gamenotice|images.kom|patchinfo.xml|noupdate.ui|\.Xtp|\.htc|\.txt)<br>acl QUERY urlpath_regex -i (patch.conf|uiimageset.xml.iop|gashaponwnd.xml.iop|loading.swf|download.swf|version.list|version.ini|launch.jnlp|server_patch.cfg.iop|core.swf|Loading.swf|resouececheck.sq|mainloading.swf|config.xml|gemmaze.swf|xml.png|size.xml|resourcesbar.swf|version.xml|version.list|delete.ini)<br>acl QUERY urlpath_regex -i \.(jsp|asp|aspx|cfg|iop|zip|php|xml|html)(\?|$)<br>cache deny QUERY<br>cache deny youtube<br> <br>#<br>acl dontstore url_regex ^http:\/\/(([\d\w-]*(\.[^\.\-]*?\..*?))(\/\mosalsal\/[\d]{4}\/.*\/)(.*\.flv))\?start.*<br>acl dontstore url_regex redbot\.org \.php<br>acl dontstore url_regex -i ^http:\/\/.*gemscool\.com\/.*<br>acl dontstore url_regex \.(aspx|php)\?<br>acl dontstore url_regex goldprice\.org\/NewCharts\/gold\/images\/.*\.png<br>acl dontstore url_regex google\.co(m|\.[a-z]{2})\/complete\/search\?<br>acl dontstore url_regex redirector\.([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id|get_video_info\?|ptracking\?|player_204\?|stream_204\?).*<br> <br>acl store_yt_id url_regex -i youtube.*(ptracking|stream_204|playback|player_204|watchtime|set_awesome|s\?|ads).*(video_id|docid|\&v|content_v)\=([^\&\s]*).*$<br>acl store_id_list_yt url_regex -i (youtube|googlevideo).*videoplayback.*$<br>acl store_id_list_yt url_regex ^https?\:\/\/([0-9.]{4}|.*\.youtube\.com|.*\.googlevideo\.com|.*\.video\.google\.com)\/(get_video\?|videodownload\?|videoplayback.*id).*<br> <br>acl store-id_list urlpath_regex -i dl\.sourceforge\.net<br>acl store-id_list urlpath_regex -i \.ytimg\.com<br>acl store-id_list urlpath_regex -i \.(akamaihd|fbcdn)\.net<br>acl store_id_list urlpath_regex -i [a-zA-Z]{2}[0-9]*\.4shared\.com\/download\/<br> <br>acl store_id_list_url url_regex ^http:\/\/[0-9]\.bp\.blogspot\.com.*\.(jpeg|jpg|png|gif|ico)<br>acl store_id_list_url url_regex ^http[s]?:\/\/.*\.twimg\.com\/(.*)\.(gif|jpeg|jpg|png|js|css)<br>acl store_id_list_url url_regex ^http[s]?:\/\/(media|static)\.licdn\.com\/.*\.(png|jpg|gif|woff)<br>acl store_id_list_url url_regex ^https:\/\/fb(static|cdn)\-.*\-<a href="http://a.akamaihd.net" target="_blank">a.akamaihd.net</a>\/(.*)\.(gif|jpeg|jpg|png|js|css|mp4)<br>acl store_id_list_url url_regex ^http:\/\/.*\.ak\.fbcdn\.net\/.*\.(gif|jpg|png|js|mp4)<br><br># pass requests <br>url_rewrite_program /etc/squid/phpredir.php<br>url_rewrite_access allow youtube<br> <br>request_header_access Range deny store_id_list_yt<br>range_offset_limit 10 KB store_id_list_yt<br> <br> <br>###############################################################################<br># Recommended minimum Access Permission configuration:<br>#<br># Deny requests to certain unsafe ports<br>###############################################################################<span class="im"><br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br></span>http_access deny blocksites<span class="im"><br>http_access allow localhost manager<br>http_access deny manager<br></span>http_access allow localnet<br>http_access allow localhost<br>http_access deny all<br> <br>###############################################################################<br># squid ssl_bump option<br>###############################################################################<br>always_direct allow all<br>ssl_bump server-first all<br>sslproxy_cert_error deny all<br>sslproxy_flags DONT_VERIFY_PEER<br>sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB<br>sslcrtd_children 8 startup=1 idle=1<br>#ssl_bump peek step1<br>#ssl_bump bump all <br>###############################################################################<br># Squid normally listens to port 3128<br>###############################################################################<br>https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_certs/squid.crt key=/etc/squid/ssl_certs/squid.key<br>http_port 3129 intercept<br>http_port 3128<br> <br># TAG: Store-id Program<br># -----------------------------------------------------------------------------<br>store_id_program /usr/bin/perl /etc/squid/<a href="http://store-id.pl" target="_blank">store-id.pl</a><br>store_id_children 100 startup=0 idle=1 concurrency=1000<br> <br># TAG: Store-id Access<br># -----------------------------------------------------------------------------<br>store_id_access allow urlrewrite<br>store_id_access allow speedtest<br>store_id_access allow reverbnation<br>store_id_access allow utmgif<br>store_id_access allow playstoreandroid<br>store_id_access allow idyoutube<br>store_id_access allow videoyoutube<br>store_id_access deny dontstore<br>store_id_access deny !getmethod<br>store_id_access allow store_id_list_yt<br>store_id_access allow store_yt_id<br>store_id_access allow store-id_list<br>store_id_access deny all<br>store_id_bypass on<br> <br># TAG: Youtube 302<br># -----------------------------------------------------------------------------<br>store_miss deny store_id_list_yt loop_302<br>send_hit deny store_id_list_yt loop_302<br> <br>###############################################################################<br>## MEMORY CACHE OPTIONS<br>###############################################################################<br>client_dst_passthru on<br>cache_mem 1024 MB<br>maximum_object_size_in_memory 1024 KB<br>memory_cache_shared off<br>memory_cache_mode disk<br>memory_replacement_policy heap GDSF<br> <br>###############################################################################<br>## DISK CACHE OPTIONS<br>###############################################################################<br>cache_replacement_policy heap LFUDA<br>minimum_object_size 1 bytes<br>maximum_object_size 10 GB<br> <br>###############################################################################<br># Uncomment and adjust the following to add a disk cache directory.<br>###############################################################################<br>cache_dir aufs /usr/local/cache_proxy 25000 16 256 # sesuaikan dengan drive penyimpanan cache <br>store_dir_select_algorithm round-robin<br>cache_swap_low 90<br>cache_swap_high 95<br> <br>###############################################################################<br># Leave coredumps in the first cache dir<br>###############################################################################<br>coredump_dir /var/spool/squid<br> <br>###############################################################################<br>## LOGFILE OPTIONS<br>###############################################################################<br>#access_log daemon:/tmp/access.log !log<br>#logfile_daemon /usr/lib/squid/log_file_daemon<br>cache_store_log none<br>logfile_rotate 1<br>mime_table /etc/squid/mime.conf<br>pid_filename /var/run/squid.pid<br>strip_query_terms off<br>buffered_logs off<br> <br>###############################################################################<br>## OPTIONS FOR TROUBLESHOOTING<br>###############################################################################<br>#cache_log /tmp/cache.log<br>cache_log /dev/null<br>#debug_options ALL,1 22,3<br>coredump_dir /var/spool/squid<br> <br>###############################################################################<br>## OPTIONS FOR TUNING THE CACHE<br>###############################################################################<br>max_stale 1 years<br>vary_ignore_expire on<br>shutdown_lifetime 10 seconds<br> <br>###############################################################################<br># Add any of your own refresh_pattern entries above these.<br>###############################################################################<span class="im"><br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br></span># Youtube Video<br>refresh_pattern -i (get_video\?|videoplayback\?|videodownload\?|\.mp4|\.webm|\.flv|((audio|video)\/(webm|mp4)))
241920 100% 241920 override-expire ignore-reload ignore-private
ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth
store-stale<br>refresh_pattern -i ^https?\:\/\/.*\.googlevideo\.com\/videoplayback.*
10080 99% 43200 override-lastmod override-expire ignore-reload
reload-into-ims ignore-private reload-into-ims ignore-auth store-stale<br>refresh_pattern -i ^https?\:\/\/.*\.googlevideo\.com\/videoplayback.*$
241920 100% 241920 override-expire ignore-reload ignore-private
ignore-no-store ignore-must-revalidate reload-into-ims ignore-auth
store-stale<br><br>refresh_pattern (akamaihd|fbcdn)\.net 14400 99%
518400 ignore-no-store ignore-private ignore-reload
ignore-must-revalidate store-stale<br>refresh_pattern -i squid\.internal
14400 99% 518400 ignore-no-store ignore-private ignore-reload
ignore-must-revalidate store-stale<br>refresh_pattern
\.(jpg|png|gif|css|ico)($|\?) 14400 99% 518400 ignore-no-store
ignore-private reload-into-ims ignore-must-revalidate store-stale<br>refresh_pattern . 0 99% 518400 ignore-no-store ignore-private reload-into-ims store-stale <br># Image Youtube<br>refresh_pattern -i (yimg|twimg)\.com\.* 1440 100% 129600 override-expire ignore-reload reload-into-ims<br>refresh_pattern
-i (ytimg|ggpht)\.com\.* 1440 80% 129600 override-expire
override-lastmod ignore-auth ignore-reload reload-into-ims<br> <br>#images facebook<br>refresh_pattern -i fbcdn.*net\/.*\.((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(\?|.*$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth<br>refresh_pattern -i pixel\.facebook\.com.*\.(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth<br>refresh_pattern -i \.akamaihd\.net.*\.(jpg|png|gif|ico|css|js) 241920 80% 241920 override-expire ignore-reload reload-into-ims ignore-auth<br>refresh_pattern -i ((<a href="http://facebook.com" target="_blank">facebook.com</a>)|(85.131.151.39))\.(jpg|png|gif) 241920 99% 241920 ignore-reload override-expire ignore-no-store store-stale<br>refresh_pattern -i fbcdn\.net\/.*\.((jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)|(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|css|js)(\?|.*$)) 241920 99% 241920 ignore-no-store ignore-private override-expire override-lastmod reload-into-ims ignore-auth<br>refresh_pattern static\.(xx|ak)\.fbcdn\.net*\.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store<br>refresh_pattern ^https?\:\/\/profile\.ak\.<a href="http://fbcdn.net" target="_blank">fbcdn.net</a>*\.(jpg|gif|png) 241920 99% 241920 ignore-reload override-expire ignore-no-store<br> <br># Video Facebook<br>refresh_pattern -i \.video.ak.fbcdn.net.*\.(mp4|flv|mp3|amf) 10080 80% 43200 override-expire ignore-reload reload-into-ims ignore-private ignore-no-store ignore-must-revalidate<br>refresh_pattern
(audio|video)\/(webm|mp4) 129600 99% 129600 ignore-reload
override-expire override-lastmod ignore-must-revalidate ignore-private
ignore-no-store ignore-auth store-stale<br>refresh_pattern -i
^http://.*squid\.internal.* 241920 100% 241920 override-lastmod
override-expire ignore-reload ignore-must-revalidate ignore-private
ignore-no-store ignore-auth store-stale<br> <br># All File<br>refresh_pattern -i \.(3gp|7z|ace|asx|bin|deb|divx|dvr-ms|ram|rpm|exe|inc|cab|qt) 10080 80% 10080 override-expire override-lastmod reload-into-ims<br>refresh_pattern -i \.(rar|jar|gz|tgz|bz2|iso|m1v|m2(v|p)|mo(d|v)|arj|lha|lzh|zip|tar|iop|nzp|pak|mar|msp) 10080 80% 10080 override-expire override-lastmod reload-into-ims ignore-reload<br>refresh_pattern -i \.(jp(e?g|e|2)|gif|pn[pg]|bm?|tiff?|ico|swf|dat|ad|txt|dll) 10080 80% 10080 override-expire override-lastmod reload-into-ims<br>refresh_pattern -i \.(avi|ac4|mp(e?g|a|e|1|2|3|4)|mk(a|v)|ms(i|u|p)|og(x|v|a|g)|rm|r(a|p)m|snd|vob|webm) 10080 80% 10080 override-expire override-lastmod reload-into-ims<br>refresh_pattern -i \.(pp(t?x)|s|t)|pdf|rtf|wax|wm(a|v)|wmx|wpl|cb(r|z|t)|xl(s?x)|do(c?x)|flv|x-flv) 10080 80% 10080 override-expire override-lastmod reload-into-ims<span class="im"><br>refresh_pattern . 0 20% 4320<br> <br></span>###############################################################################<br>## ADMINISTRATIVE PARAMETERS<br>###############################################################################<br>cache_mgr <a href="mailto:reetika@foxymoron.org" target="_blank">reetika@foxymoron.org</a><br>cache_effective_user proxy<br>cache_effective_group proxy<br>visible_hostname <a href="http://foxysquid.foxymoron.tv" target="_blank">foxysquid.foxymoron.tv</a><br>unique_hostname <a href="http://foxysquid.foxymoron.tv" target="_blank">foxysquid.foxymoron.tv</a><br> <br>###############################################################################<br>## PERSISTENT CONNECTION HANDLING<br>###############################################################################<br>detect_broken_pconn on<br>client_persistent_connections off<br>server_persistent_connections on<br> <br>###############################################################################<br>## ERROR PAGE OPTIONS<br>###############################################################################<br>error_directory /usr/share/squid/errors/en<br>error_log_languages off<br> <br>###############################################################################<br>## DNS OPTIONS<br>###############################################################################<br>check_hostnames off<br>hosts_file /etc/hosts<br>connect_retries 2<br>ipcache_low 90<br>ipcache_high 95<br>ipcache_size 84024 # 2x Besar RAM <br>fqdncache_size 64024 # real RAM Hardware<br>pipeline_prefetch 100<br> <br>###############################################################################<br>## MISCELLANEOUS<br>###############################################################################<br>memory_pools off<br>reload_into_ims on<br>uri_whitespace strip<br>max_filedescriptors 65536<br><br></div><div>IPtable rules :<br><br>................................................<br><br></div>My IPtables Rules<br><br>Chain PREROUTING (policy ACCEPT 27405 packets, 1872K bytes)<span class="im"><br> pkts bytes target prot opt in out source destination <br></span>76873 4457K DNAT tcp -- eth1 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:80 to:<a href="http://192.168.0.200:3129" target="_blank">192.168.0.200:3129</a><br> 26 1184 REDIRECT tcp -- eth0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:80 redir ports 3129<br> 0 0 DNAT tcp -- eth0 * <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:443 to:<a href="http://192.168.0.200:3130" target="_blank">192.168.0.200:3130</a><br><br>Chain INPUT (policy ACCEPT 9321 packets, 543K bytes)<br> pkts bytes target prot opt in out source destination <br><br>Chain OUTPUT (policy ACCEPT 1426 packets, 85560 bytes)<br> pkts bytes target prot opt in out source destination <br><br>Chain POSTROUTING (policy ACCEPT 1426 packets, 85560 bytes)<span class="im"><br> pkts bytes target prot opt in out source destination <br></span>81432 14M MASQUERADE all -- * eth0 <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><div class=""><div id=":1b3" class="" tabindex="0"><img class="" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div></div></div>