[squid-users] Problem in allowing only selected https sites and denying all others !!!

From: Shiva Raman <raman.shivag_at_gmail.com>
Date: Wed, 14 May 2008 11:00:55 +0530

Hi

I am using Centos 5, Squid Cache: Version 2.6.STABLE6 and
my local lan network is 192.168.10.0/24. More than 150 users
are concurrently accessing the squid proxy server.

Following is my requirement

1) Access to all http sites
2) Access to only selected https sites like redhat.com ,paypal.com
and all other https sites should be denied .

Following is my squid.conf
----------------------------

http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.10.0/24 192.168.20.0/24
acl myhttps dstdomain .redhat.com
http_access allow our_networks
http_access deny our_networks SSL_ports !myhttps
http_access deny our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname myoffice
coredump_dir /var/spool/squid

----------------------------------

From the above configuration, the problem i am facing here is that all
the https sites are accessible to the users.
even if i had allowed only 'myhttps' . Is it possible to block
specific https sites as per my requirement?

Also Is it neccesary to define prot 443 in both SSL_ports as well as
Safe_ports?
When i remove 443 from Safe_ports, i am not able to access any https sites.

Thanks for any help

Regards

Shiva Raman .
SysAdmin
Received on Wed May 14 2008 - 05:30:58 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 05 2008 - 01:05:13 MDT