[squid-users] acl for redirect

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 24 11:36:44 UTC 2015


On 24/06/2015 11:03 a.m., Mike wrote:
> We have a server setup using squid 3.5 and e2guardian (newer branch of
> dansguardian), the issue is now google has changed a few things around
> and google is no longer filtered which is not acceptable. We already
> have the browser settings for SSL Proxy set to our server, and squid has
> ssl-bump enabled and working. Previously there was enough unsecure
> content on Google that the filtering was still working, but now google
> has gone 100% encrypted meaning it is 100% unfiltered.

Maybe, maybe not.

> What is happening
> is it is creating an ssl tunnel (for lack of a better term) between

No. That is the correct and official term for what they are doing. And
"CONNECT tunnel" is the full phrase / name for the particular method of
tunnel creation.


> their server and the browser, so all squid sees is the connection to
> www.google.com, and after that it is tunneled and not recognized by
> squid or e2guardian at all.

BUT ... you said you were SSL-Bump'ing. Which means you are decrypting
such tunnels to filter the content inside them.

So what is the problem? is your method of bumping not decrypting the
Google traffic for Squid access controls and helpers to filter?

Note that DansGuardian and e2guardian being independent HTTP proxies are
not party to that SSL-Bump decrypted content inside Squid. ONly Squid
internals and ICAP/eCAP services have access to it.

> 
> I found a few options online that was used with older squid versions but
> nothing is working with squid 3.5... Looking for something like this:
> 
> acl google dstdomain .google.com
> deny_info http://www.google.com/webhp?nord=1 google

As you said Google have gone 100% HTTPS. URLs beginning with http:// are
not HTTPS nor accepted there anymore. If used they just get a 30x
redirect to an https:// URL.

Amos



More information about the squid-users mailing list