Re: [squid-users] squid 2.6/block https

From: Henrik Nordstrom <>
Date: Wed, 05 Nov 2008 20:56:08 +0100

On ons, 2008-11-05 at 17:57 +0530, sohan krishi wrote:

> My configuration is Ubuntu-iptables-squid2.6/Transparent Proxy. I
> block gmail to all employees in my company. My problem is, squid does
> not block And does not even log !
> I didn't knew this until I've seen one of our employe browsing gmail!

It's because https is encrypted on port 443.

> I did add this to my iptables : #iptables -t nat -A PREROUTING -i eth1
> -p tcp --dport 443 -j DNAT --to eth0:3128 but get this meesage in
> access.log : error:unsupported-request-method

It's because https is encrypted. It sort of works it you redirect it to
an https_port, but probably not what you want as it breaks many things.

The proper soultion to all this is to use proxy settings. It's fairly
easy to roll out proxy settings company wide using group policies or
login scripts or eeven auto discovery using WPAD, and then use
interception and firewalling only as a backup method for those who for
some reason did not get the prexy settings.

> Can anyone please help me how to block gmail. I want to block
> gmail/gtalk to all IPs except couple of IPs.

You'll have to block pore 443 traffic to all addresses used by google
servers almost..


Received on Wed Nov 05 2008 - 19:56:34 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 06 2008 - 12:00:03 MST