Help answer threads with 0 replies.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 07-23-2013, 03:33 AM   #1
LQ Newbie
Registered: Jul 2013
Posts: 2

Rep: Reputation: Disabled
Unable to block HTTPS squid3

Hello everyone.

After searching for hours on net im not able to block https connect on my squid.
I made some try on one computer wich have proxy's ip in parameters (so i guess squid is not in transparent mode)

Anyway, there is my squid.conf:

http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow serveur
http_access allow localhost
http_access deny all

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
And there is one of my acl rules to block

acl yt dstdomain
http_reply_access deny  yt 
http_access deny CONNECT yt
With that rule is blocked but not https.

Please, someone can figure out where is the problem? Thanks
Old 07-24-2013, 12:04 AM   #2
Senior Member
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,654
Blog Entries: 33

Rep: Reputation: 283Reputation: 283Reputation: 283
Hi! Welcome to LQ

I've done this lately for my system,

To drop incoming TCP connections on port 443 for a web server (HTTPS):
# iptables -A TCP -p tcp --dport 443 -j DROP
A packet that matches a rule perfectly and is then Dropped will be blocked.
Note that this action might in certain cases have an unwanted effect,
since it could leave dead sockets around on either host.
A better solution in cases where this is likely would be to use the
REJECT target
The REJECT target works basically the same as the DROP target,
but it also sends back an error message to the host sending the packet
that was blocked.
Note that all chains that use the REJECT target may only be called by
the INPUT, FORWARD, and OUTPUT chains, else they won't work.

iptables end of
## --- FORWARD CHAIN --- ##

	# Stateful inspection -- Forward in connections already established

	# Forward out all traffic


## --- OUTPUT CHAIN --- ##
#	# Follows policy

## --- NAT --- ##

	# Enable masquerade


## -- Transparent proxy to Squid --- ##

	$IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
squid config

# Squid normally listens to port 3128
#http_port 3128 transparent
#http_port intercept connection-auth=off
http_port intercept connection-auth=off
WARNING: authentication can't be used in a transparently intercepting
308 proxy as the client then thinks it is talking to an origin server and
309 not the proxy. This is a limitation of bending the TCP/IP protocol to
310 transparently intercepting port 80, not a limitation in Squid.
311 Ports flagged 'transparent', 'intercept', or 'tproxy' have
312 authentication disabled.
set browsers to not use a proxy! ;-)

Hope this gives you some info.

Regards Glenn
1 members found this post helpful.
Old 07-25-2013, 02:12 AM   #3
LQ Newbie
Registered: Jul 2013
Posts: 2

Original Poster
Rep: Reputation: Disabled

Thanks Glenn, i now getting this work.
Old 07-25-2013, 02:33 AM   #4
Senior Member
Registered: Apr 2004
Location: Brisbane, Australia
Distribution: Devuan
Posts: 3,654
Blog Entries: 33

Rep: Reputation: 283Reputation: 283Reputation: 283
Hi, I glad this info helped.

Please use the "thread tools" to mark your thread as "SOLVED"

Thank you and all the best, Glenn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] unable to block https in squid Net_Spy Linux - Networking 48 05-25-2021 10:03 AM
[SOLVED] Need ACLs to block particular browser in Squid3 roopakl Linux - Newbie 4 05-05-2012 11:12 AM
how to block https for some ips Winanjaya Linux - Security 2 11-30-2009 11:13 PM
Can't See https pages with Squid3 pliqui Linux - Networking 16 04-13-2009 04:05 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:43 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration