<div dir="ltr"><div><div>Hi,<br><br></div>I cannot block some sites using squid 3.4.8, this the configuration. On Firefox, blocking works, browser says:<br><br>`Error code: SSL_ERROR_RX_RECORD_TOO_LONG`<br><br></div>But on Chromium <span style="color:rgb(48,57,66);font-family:"DejaVu Sans",Arial,sans-serif;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;display:inline!important;float:none">Versión 49.0.2623.108, browser is not affected by the blocking acl's, despite access_logs says:<br><br>````<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT <a href="http://172.217.29.14:443" target="_blank">172.217.29.14:443</a> HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT <a href="http://172.217.29.14:443" target="_blank">172.217.29.14:443</a> HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT <a href="http://172.217.29.14:443" target="_blank">172.217.29.14:443</a> HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT <a href="http://172.217.29.14:443" target="_blank">172.217.29.14:443</a> HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT <a href="http://172.217.29.14:443" target="_blank">172.217.29.14:443</a> HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] " %BA%5D%B71A%E2%90C%BD0:Ep%82%99%FE%88 HTTP/0.0" 400 3638 "-" "-" TAG_NONE:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT <a href="http://172.217.29.14:443" target="_blank">172.217.29.14:443</a> HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT <a href="http://172.217.29.14:443" target="_blank">172.217.29.14:443</a> HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] " %11Tf%03%A4%83%F3%8C%EE HTTP/0.0" 400 3614 "-" "-" TAG_NONE:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:23 -0300] "CONNECT <a href="http://172.217.29.14:443" target="_blank">172.217.29.14:443</a> HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE<br>192.168.80.250 - - [16/Apr/2016:19:53:23 -0300] "NONE error:invalid-request HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE<br></span><div>````<br><br></div><div>Debugging I've found this in cache.log:<br><br>````<br>2016/04/16 20:00:21.924 kid1| client_side.cc(864) swanSong: local=<a href="http://172.217.28.225:443">172.217.28.225:443</a> remote=<a href="http://192.168.80.250:55068">192.168.80.250:55068</a> flags=33<br>2016/04/16 20:00:21.925 kid1| Checklist.cc(62) preCheck: 0x7eff3754 checking fast ACLs<br>2016/04/16 20:00:21.925 kid1| Acl.cc(157) matches: checking access_log daemon:/var/log/squid3/access.log<br>2016/04/16 20:00:21.925 kid1| Acl.cc(157) matches: checking (access_log daemon:/var/log/squid3/access.log line)<br>2016/04/16 20:00:21.925 kid1| Acl.cc(177) matches: checked: (access_log daemon:/var/log/squid3/access.log line) = 1<br>2016/04/16 20:00:21.926 kid1| Acl.cc(177) matches: checked: access_log daemon:/var/log/squid3/access.log = 1<br>2016/04/16 20:00:21.926 kid1| Checklist.cc(55) markFinished: 0x7eff3754 answer ALLOWED for match<br>````<br></div><div><br></div><div>Please could you help? Am I missing something? Below, my configuration:<br></div><div><br>````<br>acl localnet src <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> # RFC1918 possible internal network<br>acl SSL_ports port 443<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 21 # ftp<br>acl Safe_ports port 443 # https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl Safe_ports port 1025-65535 # unregistered ports<br>acl Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl CONNECT method CONNECT<br>acl tvsamsung src 192.168.80.160<br>acl sarmiento src 192.168.80.248<br>acl netbook src 192.168.80.245<br>acl dompermitidos dstdomain "/etc/squid3/rules/whitelistdom"<br>acl streaming dstdomain "/etc/squid3/rules/streaming"<br>acl test dstdomain .<a href="http://debian.org" target="_blank">debian.org</a><br>acl streamingips dst "/etc/squid3/rules/streamingips"<br>acl sergiocel src 192.168.80.249<br>acl tiempojuanse time SMTWHFA 10:00-13:00<br>acl tiempojuanse time SMTWHFA 16:00-22:00<br>acl yt dstdomain .<a href="http://youtube.com" target="_blank">youtube.com</a><br>acl facebook dstdomain .<a href="http://facebook.com" target="_blank">facebook.com</a><br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br>always_direct allow all<br>ssl_bump none all<br>sslproxy_cert_error allow all<br>sslproxy_flags DONT_VERIFY_PEER<br>http_access allow tvsamsung<br>http_access deny yt<br>http_access allow facebook<br>http_access deny streaming<br>http_access deny streamingips<br>http_access allow dompermitidos<br>http_access allow sarmiento<br>http_access allow localnet<br>http_access allow localhost<br>http_access deny all<br>http_port 3128<br>http_port 3127 intercept<br>https_port 8080 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/home/proxy/ssl_cert/example.com.cert key=/home/proxy/ssl_cert/example.com.private<br>sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB<br>access_log daemon:/var/log/squid3/access.log combined<br>coredump_dir /var/spool/squid3<br>refresh_pattern ^ftp: 1440 20% 10080<br>refresh_pattern ^gopher: 1440 0% 1440<br>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br>refresh_pattern . 0 20% 4320<br>````<br><br clear="all"><div><div>Thanks in advance!<br></div><div>-- <br><div><div dir="ltr"><div><div dir="ltr">--<br>Sergio Belkin<br>LPIC-2 Certified - <a href="http://www.lpi.org" target="_blank">http://www.lpi.org</a></div></div></div></div>
</div></div></div></div>