Hi Amos. I wanted to try out the "ssl-bump splice" to send traffic to a peer found in the recent snapshots for 3.5.6/7 to block Google images. I compiled configured and installed the latest 3.5 snapshot and added the directives you listed above to squid.conf but I am not sure I got them right.
*acl s1_tls_connect at_step SslBump1acl s2_tls_client_hello at_step SslBump2acl s3_tls_server_hello at_step SslBump3acl tls_server_name_is_ip ssl::server_name_regex ^[0-9]+.[0-9]+.[0-9]+.[0-9]+nacl google ssl::server_name .google.com <http://google.com>ssl_bump peek s1_tls_connect allacl nobumpSites ssl::server_name .wellsfargo.com <http://wellsfargo.com>ssl_bump splice s2_tls_client_hello nobumpSitesssl_bump splice s2_tls_client_hello googlessl_bump stare s2_tls_client_hello allssl_bump bump s3_tls_server_hello allcache_peer forcesafesearch.google.com <http://forcesafesearch.google.com> parent 443 0 name=GS originserver no-query no-netdb-exchange no-digestacl search dstdomain .google.com <http://google.com>cache_peer_access GS allow searchcache_peer_access GS deny allsslproxy_cert_error allow tls_server_name_is_ipsslproxy_cert_error deny allsslproxy_flags DONT_VERIFY_PEER* When restarting Squid and searching in Google images for "sex" it still shows images that I want to be able to block with safesearch. On Thu, Jul 16, 2015 at 11:24 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 19/05/2015 5:49 a.m., Andres Granados wrote: > > hello!I need help on how to block pornographic images of google, I > > was trying different options and still do not succeed, try: > > http_reply_access with request_header_add, and even with a > > configuration dns, I think is to request_header_add the best, though > > not it has worked for me, I hope your help, is to implement a school, > > thanks! > > > > FYI; Christos has added a tweak to the "ssl-bump splice" handling that > permits sending the traffic to a cache_peer configured something like this: > > acl example ssl::server_name .example.com > ssl_bump splice example > ssl_bump peek all > > cache_peer forcesafesearch.example.com parent 443 0 \ > name=GS \ > originserver no-query no-netdb-exchange no-digest > > acl search dstdomain .example.com > cache_peer_access GS allow search > cache_peer_access GS deny all > > The idea being that you can use this on intercepted (or forward-proxy) > HTTPS traffic instead of hacking about with DNS to direct clients at the > servers Google use to present "safe" searching. > > This should be available in 3.5.7, or the current 3.5 snaphots. > > Cheers > Amos > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
