<div dir="ltr"><div><div>I added "ssl" to the options <br><br><div style="margin-left:40px"><i><span class="im">cache_peer <a href="http://forcesafesearch.google.com" rel="noreferrer" target="_blank">forcesafesearch.google.com</a> parent 443 0 ssl name=GS originserver no-query no-netdb-exchange no-digest<br></span></i></div><br></div>but now when I try to access <i><a href="https://www.google.com">https://www.google.com</a> </i>at all, I get an "SSL certificate error" page. All other https sites load fine.<br><br></div>@Luis, where can I find information on the icap project? We already use c-icap for SquidClamAV. It might not be much more of a stretch to add this to it.<br><div><div><div><i><span class="im"></span></i></div></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jul 31, 2015 at 6:34 PM, Luis Daniel Lucio Quiroz <span dir="ltr"><<a href="mailto:luis.daniel.lucio@gmail.com" target="_blank">luis.daniel.lucio@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">There is a project for icap that does exactly what you want. This is like a L8 filter, meanwhile dns is L5.</p>
<p dir="ltr">The higher, the better</p><div class="HOEnZb"><div class="h5">
<div class="gmail_quote">On Jul 31, 2015 5:20 PM, "Amos Jeffries" <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 1/08/2015 8:49 a.m., Stanford Prescott wrote:<br>
> Hi Amos. I wanted to try out the "ssl-bump splice" to send traffic to a<br>
> peer found in the recent snapshots for 3.5.6/7 to block Google images. I<br>
> compiled configured and installed the latest 3.5 snapshot and added the<br>
> directives you listed above to squid.conf but I am not sure I got them<br>
> right.<br>
><br>
><br>
> acl s1_tls_connect at_step SslBump1<br>
> acl s2_tls_client_hello at_step SslBump2<br>
> acl s3_tls_server_hello at_step SslBump3<br>
> acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+n<br>
> acl google ssl::server_name .<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a><br>
><br>
> ssl_bump peek s1_tls_connect all<br>
> acl nobumpSites ssl::server_name .<a href="http://wellsfargo.com" rel="noreferrer" target="_blank">wellsfargo.com</a><br>
> ssl_bump splice s2_tls_client_hello nobumpSites<br>
> ssl_bump splice s2_tls_client_hello google<br>
> ssl_bump stare s2_tls_client_hello all<br>
> ssl_bump bump s3_tls_server_hello all<br>
><br>
> cache_peer <a href="http://forcesafesearch.google.com" rel="noreferrer" target="_blank">forcesafesearch.google.com</a> parent 443 0 \<br>
> name=GS originserver no-query no-netdb-exchange no-digest<br>
<br>
Sorry, I missed out the 'ssl' option on the peer.<br>
<br>
> acl search dstdomain .<a href="http://google.com" rel="noreferrer" target="_blank">google.com</a><br>
> cache_peer_access GS allow search<br>
><br>
cache_peer_access GS deny all<br>
> sslproxy_cert_error allow tls_server_name_is_ip<br>
> sslproxy_cert_error deny all<br>
> sslproxy_flags DONT_VERIFY_PEER<br>
><br>
> When restarting Squid and searching in Google images for "sex" it still<br>
> shows images that I want to be able to block with safesearch.<br>
<br>
Other than the it I missed out mentioning. it looks okay to me. Though I<br>
have not tested any of this myself so YMMV.<br>
<br>
Amos<br>
<br>
><br>
> On Thu, Jul 16, 2015 at 11:24 PM, Amos Jeffries wrote:<br>
><br>
>> On 19/05/2015 5:49 a.m., Andres Granados wrote:<br>
>>> hello!I need help on how to block pornographic images of google, I<br>
>>> was trying different options and still do not succeed, try:<br>
>>> http_reply_access with request_header_add, and even with a<br>
>>> configuration dns, I think is to request_header_add the best, though<br>
>>> not it has worked for me, I hope your help, is to implement a school,<br>
>>> thanks!<br>
>>><br>
>><br>
>> FYI; Christos has added a tweak to the "ssl-bump splice" handling that<br>
>> permits sending the traffic to a cache_peer configured something like this:<br>
>><br>
>> acl example ssl::server_name .<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
>> ssl_bump splice example<br>
>> ssl_bump peek all<br>
>><br>
>> cache_peer <a href="http://forcesafesearch.example.com" rel="noreferrer" target="_blank">forcesafesearch.example.com</a> parent 443 0 \<br>
>> name=GS \<br>
>> originserver no-query no-netdb-exchange no-digest<br>
>><br>
>> acl search dstdomain .<a href="http://example.com" rel="noreferrer" target="_blank">example.com</a><br>
>> cache_peer_access GS allow search<br>
>> cache_peer_access GS deny all<br>
>><br>
>> The idea being that you can use this on intercepted (or forward-proxy)<br>
>> HTTPS traffic instead of hacking about with DNS to direct clients at the<br>
>> servers Google use to present "safe" searching.<br>
>><br>
>> This should be available in 3.5.7, or the current 3.5 snaphots.<br>
>><br>
>> Cheers<br>
>> Amos<br>
>> _______________________________________________<br>
>> squid-users mailing list<br>
>> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
>> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
>><br>
><br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>
</div></div><br>_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br></blockquote></div><br></div>