<div dir="ltr">Hi,<div><br></div><div>I was wondering if it is possible to filter HTTPS URLs using squid (for example to blacklist <a href="http://reddit.com">reddit.com</a> but allow <a href="https://www.reddit.com/r/news/">https://www.reddit.com/r/news/</a>)?</div><div><br></div><div>I thought this may be possible using ssl_bump and url_regex. I have been trying this using squid 3.5.13 but with no success.</div><div>
<p class=""><span class="">Here is the squid configuration that I have tried but doesn't seem to work (it works for http sites though):</span></p><p class=""><span class="">acl localnet src <a href="http://10.0.0.0/8">10.0.0.0/8</a><span class=""> </span># RFC1918 possible internal network<br></span>acl localnet src <a href="http://172.16.0.0/12">172.16.0.0/12</a><span class=""> </span># RFC1918 possible internal network<br>acl localnet src <a href="http://192.168.0.0/16">192.168.0.0/16</a><span class=""> </span># RFC1918 possible internal network<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br><br>acl SSL_ports port 443<br>acl Safe_ports port 80<span class=""> </span><span class=""> </span># http<br>acl Safe_ports port 21<span class=""> </span><span class=""> </span># ftp<br>acl Safe_ports port 443<span class=""> </span><span class=""> </span># https<br>acl Safe_ports port 70<span class=""> </span><span class=""> </span># gopher<br>acl Safe_ports port 210<span class=""> </span><span class=""> </span># wais<br>acl Safe_ports port 1025-65535<span class=""> </span># unregistered ports<br>acl Safe_ports port 280<span class=""> </span><span class=""> </span># http-mgmt<br>acl Safe_ports port 488<span class=""> </span><span class=""> </span># gss-http<br>acl Safe_ports port 591<span class=""> </span><span class=""> </span># filemaker<br>acl Safe_ports port 777<span class=""> </span><span class=""> </span># multiling http<br>acl CONNECT method CONNECT<br><br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br><br>acl whitelist-regex url_regex -i <a href="http://reddit.com/r/news">reddit.com/r/news</a><br>http_port 3129 ssl-bump cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>acl bump_sites ssl::server_name .<a href="http://reddit.com">reddit.com</a><br>ssl_bump bump bump_sites<br>ssl_bump splice !bump_sites<br>http_access allow whitelist-regex<br>http_access allow localhost<br>http_access deny all<br>coredump_dir /opt/squid-3.5.13/var/spool/squid3<br>refresh_pattern ^ftp:<span class=""> </span><span class=""> </span>1440<span class=""> </span>20%<span class=""> </span>10080<br>refresh_pattern ^gopher:<span class=""> </span>1440<span class=""> </span>0%<span class=""> </span>1440<br>refresh_pattern -i (/cgi-bin/|\?) 0<span class=""> </span>0%<span class=""> </span>0<br>refresh_pattern .<span class=""> </span><span class=""> </span>0<span class=""> </span>20%<span class=""> </span>4320<br>pinger_enable off</p></div><div>Relevant access.log output (IP addresses redacted to x.x.x.x):<br>1455145755.589 0 x.x.x.x TCP_DENIED/200 0 CONNECT <a href="http://www.reddit.com:443">www.reddit.com:443</a> - HIER_NONE/- -<br>1455145755.669 0 x.x.x.x TAG_NONE/403 4011 GET <a href="https://www.reddit.com/r/news">https://www.reddit.com/r/news</a> - HIER_NONE/- text/html<br>1455145755.782 0 x.x.x.x TCP_DENIED/200 0 CONNECT <a href="http://www.reddit.com:443">www.reddit.com:443</a> - HIER_NONE/- -</div><div><br>I don't want to whitelist the dstdomain .<a href="http://reddit.com">reddit.com</a> (i.e whitelist-ssldomain dstdomain .<a href="http://reddit.com">reddit.com</a>) as that would allow access to all of the other subreddits.<br><br></div><div>Appreciate any help or suggestions you have. Thanks.</div><div><br></div><div>Victor</div></div>