FYI, I finally solved my problem! It turns out the problem was with PRE-ESTABLISHED connections...
In other words, when I turned on my transparent rules, any Chrome tabs I had opened BEFORE turning on my transparent proxy rules, apparently would communicate over a previously opened socket! So the filtering rules would only apply after the port was closed OR after I reopened the browser. In order to solve it, I simply had to add a FORWARD drop rule for any established connections: iptables -A FORWARD -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED -j DROP iptables -A FORWARD -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -j DROP Hope this will be helpful to someone else! Luis On Sat, Feb 7, 2015 at 8:28 PM, Luis Miguel Silva < luismiguelferreirasi...@gmail.com> wrote: > Ok, I'm using 3.4.9, so I've added that config option to my setup :o) > > Thanks for the tip! > Luis > > On Sat, Feb 7, 2015 at 6:11 PM, Amos Jeffries <squ...@treenet.co.nz> > wrote: > >> On 8/02/2015 5:34 a.m., Luis Miguel Silva wrote: >> > I did when you sent it but it seemed to me you were saying I should add >> > that "reply_header_access Alternate-Protocol deny all" config parameter >> > but, on the other hand, I didn't understand why were you suggesting >> that, >> > seeing that my problem is that Chrome doesn't go through my proxy at >> all! >> > (I'm doing transparent proxying, NOT setting up a proxy in Chrome). >> > >> > I've now re-read your email and it seemed you were telling me to >> upgrade to >> > 3.5.x (which I hadn't understood the last time I read your email). I >> > apologize that I didn't understand what you were saying. >> > >> >> No wrries. I was saying both. >> >> > So are you saying I must upgrade to Squid 3.5.x to fix this? Why would >> that >> > header fix it, seeing that my problem is that Chrome is bypassing the >> proxy >> > altogether? >> >> The web server actively tells Chrome to use QUIC on future requests. >> Remove that header from traffic and Chrome stops using QUIC (maybe >> requires Chrome restart). >> >> The removal is built into 3.4.10+ by default, but the config line I >> presented does the same thing in older versions back to 3.2. >> >> Amos >> >> >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
