Squid Not Blocking SSL HTTPS Properly
As the youtube you try to block is in HTTPS, you have a problem. The proxy don't decapsulate the HTTPS to know the URL and the content, so, it is able to drop the connection. To solve your problem, you must see the SSL Bump solution of Squid. It is not enable by default because of licence issues, but you can easily recompile the package. The problem of this solution is that the client must know the authority of certification used in the proxy, and this authority is local and allow to create a certificate for all the https sites. So you need to deploy the autority on all the PC.
http://wiki.squid-cache.org/Features/SslBump
Related videos on Youtube
John
Updated on September 18, 2022Comments
-
John over 1 year
So my goal here it to block only certain youtube channels.
If I do:
acl block_youtube dstdomain .youtube.com http_access deny block_youtube
it blocks any access to youtube.
if I do:
acl block_youtube url_regex -i ^https://www.youtube.com/watch\?v=v2AC41dglnM http_access deny block_youtube
it doesn't block that particular page, even though I see this in my access_log.
475862685.876 0 100.100.100.100 TAG_NONE/200 0 CONNECT www.youtube.com:443 - HIER_NONE/- - 1475862686.359 412 100.100.100.100 TCP_MISS/200 51182 GET https://www.youtube.com/watch\?v=v2AC41dglnM - HIER_DIRECT/216.58.192.238 application/json
Any one have any idea how to resolve this?
-
Admin over 2 yearsA very similar question with more comments and answers is: Pages don't get blocked with Squid over HTTPS
-
-
John over 7 yearsI have already done all this already. If I didn't do this, I would not be seeing the https access in the logs.
-
Dom over 7 yearsIT is strange that in the logs there is a backslash before the question mark. You need to add one in your regex too.
-
John over 7 yearsIt's already in my regex isn't it or do I need it a special way? Not to familiar with regex.
-
Dom over 7 yearsThe '?' means the previous char can be optional. If you want a real ?, you need to escape it with a \. So your regex is OK, but the url no : to match , you should have "youtube.com/watch?v=v2AC41dglnM" (without backslash)
-
John over 7 yearsIt is a real character. So weird, I did a php script to rewrite the urls and it is working fine now as a squid redirect program. Now I am facing another issue as squid isn't working in the iOS YouTube app.