<div dir="ltr">Here's a strange one for you though, if I change:<div><span style="font-size:12.8px">acl whitelist-regex url_regex -i </span><a href="http://reddit.com/r/news" target="_blank" style="font-size:12.8px">reddit.com/r/news</a></div><div><br></div><div>to:<br>acl whitelist-regex url_regex -i reddit\.com\/r\/news www\.reddit\.com\:443</div><div><br></div><div>it works every 2nd time but the match is too greedy and allows <a href="http://www.reddit.com/r/anything">www.reddit.com/r/anything</a> every 2nd time.<br><br>Victor</div><div><br></div><div>it</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 11, 2016 at 10:05 AM, Victor Hugo <span dir="ltr"><<a href="mailto:fourtrials@gmail.com" target="_blank">fourtrials@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I was wondering if it is possible to filter HTTPS URLs using squid (for example to blacklist <a href="http://reddit.com" target="_blank">reddit.com</a> but allow <a href="https://www.reddit.com/r/news/" target="_blank">https://www.reddit.com/r/news/</a>)?</div><div><br></div><div>I thought this may be possible using ssl_bump and url_regex. I have been trying this using squid 3.5.13 but with no success.</div><div>
<p><span>Here is the squid configuration that I have tried but doesn't seem to work (it works for http sites though):</span></p><p><span>acl localnet src <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a><span> </span># RFC1918 possible internal network<br></span>acl localnet src <a href="http://172.16.0.0/12" target="_blank">172.16.0.0/12</a><span> </span># RFC1918 possible internal network<br>acl localnet src <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a><span> </span># RFC1918 possible internal network<br>acl localnet src fc00::/7 # RFC 4193 local private network range<br>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br><br>acl SSL_ports port 443<br>acl Safe_ports port 80<span> </span><span> </span># http<br>acl Safe_ports port 21<span> </span><span> </span># ftp<br>acl Safe_ports port 443<span> </span><span> </span># https<br>acl Safe_ports port 70<span> </span><span> </span># gopher<br>acl Safe_ports port 210<span> </span><span> </span># wais<br>acl Safe_ports port 1025-65535<span> </span># unregistered ports<br>acl Safe_ports port 280<span> </span><span> </span># http-mgmt<br>acl Safe_ports port 488<span> </span><span> </span># gss-http<br>acl Safe_ports port 591<span> </span><span> </span># filemaker<br>acl Safe_ports port 777<span> </span><span> </span># multiling http<br>acl CONNECT method CONNECT<br><br>http_access deny !Safe_ports<br>http_access deny CONNECT !SSL_ports<br>http_access allow localhost manager<br>http_access deny manager<br><br>acl whitelist-regex url_regex -i <a href="http://reddit.com/r/news" target="_blank">reddit.com/r/news</a><br>http_port 3129 ssl-bump cert=/opt/squid-3.5.13/etc/squid3/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB<br>acl bump_sites ssl::server_name .<a href="http://reddit.com" target="_blank">reddit.com</a><br>ssl_bump bump bump_sites<br>ssl_bump splice !bump_sites<br>http_access allow whitelist-regex<br>http_access allow localhost<br>http_access deny all<br>coredump_dir /opt/squid-3.5.13/var/spool/squid3<br>refresh_pattern ^ftp:<span> </span><span> </span>1440<span> </span>20%<span> </span>10080<br>refresh_pattern ^gopher:<span> </span>1440<span> </span>0%<span> </span>1440<br>refresh_pattern -i (/cgi-bin/|\?) 0<span> </span>0%<span> </span>0<br>refresh_pattern .<span> </span><span> </span>0<span> </span>20%<span> </span>4320<br>pinger_enable off</p></div><div>Relevant access.log output (IP addresses redacted to x.x.x.x):<br>1455145755.589 0 x.x.x.x TCP_DENIED/200 0 CONNECT <a href="http://www.reddit.com:443" target="_blank">www.reddit.com:443</a> - HIER_NONE/- -<br>1455145755.669 0 x.x.x.x TAG_NONE/403 4011 GET <a href="https://www.reddit.com/r/news" target="_blank">https://www.reddit.com/r/news</a> - HIER_NONE/- text/html<br>1455145755.782 0 x.x.x.x TCP_DENIED/200 0 CONNECT <a href="http://www.reddit.com:443" target="_blank">www.reddit.com:443</a> - HIER_NONE/- -</div><div><br>I don't want to whitelist the dstdomain .<a href="http://reddit.com" target="_blank">reddit.com</a> (i.e whitelist-ssldomain dstdomain .<a href="http://reddit.com" target="_blank">reddit.com</a>) as that would allow access to all of the other subreddits.<br><br></div><div>Appreciate any help or suggestions you have. Thanks.</div><span class="HOEnZb"><font color="#888888"><div><br></div><div>Victor</div></font></span></div>
</blockquote></div><br></div>