unable to block https in squid
 

Greetings to All,
I want setup acl that will prevent access to limited websites but having issue to with https:// I tried https://facebook.com it opened that same gmail or orkut. here is my acl

Looking forward for your kind response.

Regards
Net_Spy

yes you need to block https...

acl secure proto https
http_access deny securehttp

@Net_spy: Are you trying to deny access to all https or just a few select hosts over https?

Thanks for you response but it does not work for me I can still access to https://www.facebook.com or such other website . well I want to block such website like facebook , orkut , gmail these are the website that opens with https aswell .


Regards
Net_Spy

Something like this might do:

Denying access to specific https sites gets a little tricky.

Keep in mind that in the access control entries I posted above, dst will tell squid to resolve the hostnames to IP addresses at parse time. This means that if e.g. facebook or orkut should change IP info, squid will not know about the change.

-------

edit: I was just doing some experimenting -- see if this works as well:

Using dstdomain would be better, since it would additionally block https:/foo.facebook.com for example.

well that does not work too have checked that rule by yourself , hope it will be resolved soon.


Regards
Net_Spy

I tested both options with squid 3.0.STABLE18, and both worked OK.

Post the acl-related entries from your squid.conf here. (Use code tags, please.)

Net_Spy, using dstdomain works for domains accessed with either HTTP or HTTPS. You should make sure you don't have some other ACL granting access. It's hard for us to tell what's going on since we don't have a complete view of the relevant section of your squid.conf. Also, keep in mind that stuff like this won't work for HTTPS:Squid doesn't see the URL when using HTTPS (only the host name and port number).

Following are the only acls that im using beside that ive safe port acl and virusport ssl thats it. Ive changed url_regex to dstdomain. but still same
I dont know what is wrong should.

Any idea ?

Regards
Net_Spy

I don't see any of our suggestions in your squid.conf.

anomie I've tried that suggestions aswell but it didnt work for me it is my
acl part in my squid.conf./


[CODE]

###########################################
# ACL Rules To Allow/Block
# Websites
###########################################
acl myclnts src "/home/scripts/ncc.squid"
acl flr-mgr src "/home/scripts/flr-mgr"
acl alwurl dstdomain "/home/scripts/alwurl"
acl CONNECT method CONNECT

acl httpsfail dstdomain .facebook.com
acl httpsfail dstdomain .orkut.com


## Following rule will allow only those site which are allowed for ncc.squid
http_access allow alwurl myclnts
http_access deny myclnts
deny_info ERR_NCC myclnts
http_access allow flr-mgr <== allow access to supervisors
http_access deny httpsfail
http_access deny CONNECT
#acl webaccess1 url_regex .google.com .yahoo.com
#acl youtube1 url_regex -i youtube facebook # This pattern wil be applied for all clients
#http_access deny youtube1 ## This rule will block youtube for all clients
#http_access deny all


[CODE]
Regards
Net_Spy

Try like this instead:

I'm curious as to why you're explicitly denying the CONNECT method. That would imply that you actually do want to allow HTTP, wouldn't it? Something like this would take care of both HTTP and HTTPS:

Ive tried that aswell but still I can access to it . using https://www.facebook.com or gmail or orkut. my squid version is 2.6 .

Regards
Net_Spy

You did stick those lines at the top of your file, right? Because otherwise, we'd still have doubts about another ACL granting access. Also, is this Squid running in transparent mode? If so, verify that the clients are configured to use Squid for HTTPS. I've seen many cases in which administrators forgot that only HTTP gets transparently proxied, while HTTPS would be getting SNATed if not filtered. BTW, what does the log file look like when you access, say, Facebook?