Blocking YouTube (appear to be on your list) is tricky, if the browser is chrome:
https://en.m.wikipedia.org/wiki/QUIC If you click on the 'green lock' and look at the connection you will see it's not using https (funnily enough, the ads there do!). Look at the wiki for more info on how to block QUIC. > On Apr 16, 2016, at 4:10 PM, Sergio Belkin <seb...@gmail.com> wrote: > > Hi, > > I cannot block some sites using squid 3.4.8, this the configuration. On > Firefox, blocking works, browser says: > > `Error code: SSL_ERROR_RX_RECORD_TOO_LONG` > > But on Chromium VersiĆ³n 49.0.2623.108, browser is not affected by the > blocking acl's, despite access_logs says: > > ```` > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 > HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request > HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 > HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 > HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 > HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request > HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 > HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] " > %BA%5D%B71A%E2%90C%BD0:Ep%82%99%FE%88 HTTP/0.0" 400 3638 "-" "-" > TAG_NONE:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 > HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request > HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "CONNECT 172.217.29.14:443 > HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request > HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] " %11Tf%03%A4%83%F3%8C%EE > HTTP/0.0" 400 3614 "-" "-" TAG_NONE:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:17 -0300] "NONE error:invalid-request > HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:23 -0300] "CONNECT 172.217.29.14:443 > HTTP/1.1" 403 3443 "-" "-" TCP_DENIED:HIER_NONE > 192.168.80.250 - - [16/Apr/2016:19:53:23 -0300] "NONE error:invalid-request > HTTP/0.0" 400 4042 "-" "-" TAG_NONE:HIER_NONE > ```` > > Debugging I've found this in cache.log: > > ```` > 2016/04/16 20:00:21.924 kid1| client_side.cc(864) swanSong: > local=172.217.28.225:443 remote=192.168.80.250:55068 flags=33 > 2016/04/16 20:00:21.925 kid1| Checklist.cc(62) preCheck: 0x7eff3754 checking > fast ACLs > 2016/04/16 20:00:21.925 kid1| Acl.cc(157) matches: checking access_log > daemon:/var/log/squid3/access.log > 2016/04/16 20:00:21.925 kid1| Acl.cc(157) matches: checking (access_log > daemon:/var/log/squid3/access.log line) > 2016/04/16 20:00:21.925 kid1| Acl.cc(177) matches: checked: (access_log > daemon:/var/log/squid3/access.log line) = 1 > 2016/04/16 20:00:21.926 kid1| Acl.cc(177) matches: checked: access_log > daemon:/var/log/squid3/access.log = 1 > 2016/04/16 20:00:21.926 kid1| Checklist.cc(55) markFinished: 0x7eff3754 > answer ALLOWED for match > ```` > > Please could you help? Am I missing something? Below, my configuration: > > ```` > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > acl tvsamsung src 192.168.80.160 > acl sarmiento src 192.168.80.248 > acl netbook src 192.168.80.245 > acl dompermitidos dstdomain "/etc/squid3/rules/whitelistdom" > acl streaming dstdomain "/etc/squid3/rules/streaming" > acl test dstdomain .debian.org > acl streamingips dst "/etc/squid3/rules/streamingips" > acl sergiocel src 192.168.80.249 > acl tiempojuanse time SMTWHFA 10:00-13:00 > acl tiempojuanse time SMTWHFA 16:00-22:00 > acl yt dstdomain .youtube.com > acl facebook dstdomain .facebook.com > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > always_direct allow all > ssl_bump none all > sslproxy_cert_error allow all > sslproxy_flags DONT_VERIFY_PEER > http_access allow tvsamsung > http_access deny yt > http_access allow facebook > http_access deny streaming > http_access deny streamingips > http_access allow dompermitidos > http_access allow sarmiento > http_access allow localnet > http_access allow localhost > http_access deny all > http_port 3128 > http_port 3127 intercept > https_port 8080 intercept ssl-bump generate-host-certificates=on > dynamic_cert_mem_cache_size=4MB cert=/home/proxy/ssl_cert/example.com.cert > key=/home/proxy/ssl_cert/example.com.private > sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/spool/squid3_ssldb -M 4MB > access_log daemon:/var/log/squid3/access.log combined > coredump_dir /var/spool/squid3 > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > ```` > > Thanks in advance! > -- > -- > Sergio Belkin > LPIC-2 Certified - http://www.lpi.org > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
