<html><head></head><body><div style="color:#000; background-color:#fff; font-family:Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:13px"><div id="yui_3_16_0_ym19_1_1492444613556_16037">Hi Alex,</div><div id="yui_3_16_0_ym19_1_1492444613556_16038"><br></div><div id="yui_3_16_0_ym19_1_1492444613556_16039">Thank you and Sorry for not including the access log earlier.</div><div id="yui_3_16_0_ym19_1_1492444613556_16042"><br></div><div id="yui_3_16_0_ym19_1_1492444613556_15988" dir="ltr">1492449506.087 16 172.27.3.236 TCP_DENIED/200 0 CONNECT 192.30.255.113:443 - HIER_NONE/- -<br id="yui_3_16_0_ym19_1_1492444613556_15995">1492449521.807 5 172.27.3.236 TCP_DENIED/200 0 CONNECT 192.30.255.112:443 - HIER_NONE/- -<br id="yui_3_16_0_ym19_1_1492444613556_15996">1492449528.794 41 172.27.3.236 TCP_MISS/301 280 GET http://github.com/ - ORIGINAL_DST/192.30.255.113 -<br id="yui_3_16_0_ym19_1_1492444613556_15997">1492449528.799 0 172.27.3.236 TCP_DENIED/200 0 CONNECT 192.30.255.113:443 - HIER_NONE/- -<br></div><div id="yui_3_16_0_ym19_1_1492444613556_15984"><span><br></span></div><div id="yui_3_16_0_ym19_1_1492444613556_16026"><span id="yui_3_16_0_ym19_1_1492444613556_16068">Seems to be the case. Please help me with getting the correct configuration.</span></div><div id="yui_3_16_0_ym19_1_1492444613556_16013"><div id="yui_3_16_0_ym19_1_1492444613556_16119"><br></div><div id="yui_3_16_0_ym19_1_1492444613556_16120">Thanks you very much. <br></div><div id="yui_3_16_0_ym19_1_1492444613556_16145"><br></div></div><div class="signature" id="yui_3_16_0_ym19_1_1492444613556_15986"><span style="font-size:small;" id="yui_3_16_0_ym19_1_1492444613556_15998">-Shan</span></div> <div class="qtdSeparateBR"><br><br></div><div class="yahoo_quoted" style="display: block;"> <div style="font-family: Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 13px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"><font size="2" face="Arial"> On Monday, April 17, 2017 10:43 PM, Alex Rousskov <rousskov@measurement-factory.com> wrote:<br></font></div> <br><br> <div class="y_msg_container"><div dir="ltr">On 04/17/2017 10:55 AM, Shanmugam Sundaram wrote:<br clear="none"><br clear="none">> The goal is to splice only whitelist (github.com) and terminate all<br clear="none">> other domains.<br clear="none"><br clear="none">FYI: I do not know what you mean by "terminate", but if you mean "close<br clear="none">the client-to-Squid connection _without_ serving a Squid-generated error<br clear="none">response to the user", then your ssl_bump configuration does not reflect<br clear="none">your intent. It is easier to terminate non-github connections than to<br clear="none">respond with blocking error messages to non-github requests.<br clear="none"><br clear="none"><br clear="none">> acl http_whitelist dstdomain .github.com<br clear="none">> acl whitelist ssl::server_name .github.com<br clear="none"><br clear="none">> http_access allow http_whitelist localnet<br clear="none">> http_access deny all<br clear="none">> <br clear="none">> acl step1 at_step SslBump1<br clear="none">> ssl_bump peek step1<br clear="none">> ssl_bump splice whitelist<br clear="none">> ssl_bump bump all<br clear="none"><br clear="none"><br clear="none">Your Squid probably denies the fake CONNECT request during step1 (before<br clear="none">looking up SNI during step2). That fake CONNECT does not (and cannot)<br clear="none">have a host name (because you intercept) so it does not match your<br clear="none">"http_whitelist" ACL in the "http_access allow" rule quoted above,<br clear="none">following through to the "deny all" rule that always matches.<br clear="none"><br clear="none">An access log may be used to confirm or descard the above theory. This<br clear="none">is why I have asked you about access log records in my previous email.<div class="yqt2562381190" id="yqtfd28857"><br clear="none"><br clear="none">Alex.<br clear="none"><br clear="none"></div></div><br><br></div> </div> </div> </div></div></body></html>