Re: [squid-users] Not able to block https acces in squid.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 11 Dec 2012 00:55:17 +1300

On 10/12/2012 10:04 p.m., Naval saini wrote:
> I have configured squid in my CentOs 6.3 server it's working fine now i want
> to allow facebook access only in lunch time i have wrote a acl for this but
> it's blocking http access when i try to open facebook with https it not
> blocking facebook in this mode my code for http blocking.
>
> acl FACEBOOK dstdomain www.facebook.com
> acl LUNCH time MTWHF 13:00-14:00
> http_access allow FACEBOOK LUNCH
> http_access deny FACEBOOK
>
> these acl i am writing on the bottom of these lines.
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32 ::1
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
> and is only blocking http requests but not https requests.
>
> I have tried to block this using this CONNECT acl but it not working for me
> .
> http_access deny CONNECT FACEBOOK
> but it's also not working and i want to know about where to write this acl
> in squid.conf file whether on bottom of these acl or anywhere in squid.conf
> file.
>
> Please tell me the correct solution i have searched a lot on this on google
> but not able to find googd one.

Firstly, you have assumed that the website only has one domain name.
"www.facebook.com" is not even their primary domain; "facebook.com" is.

A quick check of the domain shows that there is a different location for
the HTTPS version as well...

> squidclient -p 80 -h www.facebook.com /

HTTP/1.0 302 Found
Location: https://69.171.237.20/
Content-Type: text/html; charset=utf-8
X-FB-Debug: fbuQUJ9pSTXVUMuvNfBV5+NfKeOrkK0d9KRC4cYIvic=
Date: Mon, 10 Dec 2012 11:48:58 GMT
Connection: close
Content-Length: 0

*** the HTTPS connection is directed back to a load balacer service with
IP address location. Which also rotates through a set of IPs with each
request.

Amos
Received on Mon Dec 10 2012 - 11:55:22 MST

This archive was generated by hypermail 2.2.0 : Mon Dec 10 2012 - 12:00:03 MST