[squid-users] Unable to filter javascript exchanges

Alex Rousskov rousskov at measurement-factory.com
Tue Feb 20 19:55:18 UTC 2024


On 2024-02-12 17:40, speedy67 at chez.com wrote:

> I'm using Squid 3.5.24 (indluded in Synology DSM 6) and I've an issue 
> with time acl. All works fine except some websites like myhordes.de. 
> Once the user connected to this kind of website, the time acl has no 
> effect while the web page is not reloaded. All datas sent and received 
> by the javascript scripts continue going thru the proxy server without 
> any filter.

Squid does not normally evaluate ACLs while tunneling traffic: Various 
directives are checked at the tunnel establishment time and after the 
tunnel is closed, but not when bytes are shoveled back and forth between 
a TCP client and a TCP server.

The same can be said about processing (large) HTTP message bodies.

If your use case involves CONNECT tunnels, intercepted (but not bumped) 
TLS connections, or very large/slow HTTP messages, then you need to 
enhance Squid to apply some [time-related] checks "in the middle of a 
[long] transaction".

https://wiki.squid-cache.org/SquidFaq/AboutSquid#how-to-add-a-new-squid-feature-enhance-of-fix-something

N.B. Squid v3 is very buggy and has not been supported by the Squid 
Project for many years. Please upgrade to Squid v6 or later. The upgrade 
itself will not add a "check directive X when tunneling for a long time" 
feature though.


HTH,

Alex.



More information about the squid-users mailing list