HTTPS sites specifics URL

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

HTTPS sites specifics URL

Dante F. B. Colò
Hello Everyone

I have a question , probably a noob one , i 'm trying to allow some
https sites with specific URL's  (i mean https://domain.tld/blablabla)
but https sites are working  only with the domain part , what i have to
do to make this work ?

Regards

Dante F. B. Colò



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS sites specifics URL

Leonardo Rodrigues Magalhães

     That's correct, when not using SSL-Bump feature (that's the one
you're looking for), squid will only see the domain part. All the rest
of the URL is crypted and visible only to the client (browser) and the
server on the other side, the only two parts involved on that crypto
session.

     To enable squid to see the whole URL and be able to do full
filtering on HTTPS requests, you're looking for SSL-Bump feature. Google
for it, there's a LOT of tutorials and mailing list messages on that.


Em 06/02/17 12:40, Dante F. B. Colò escreveu:
> Hello Everyone
>
> I have a question , probably a noob one , i 'm trying to allow some
> https sites with specific URL's  (i mean https://domain.tld/blablabla)
> but https sites are working  only with the domain part , what i have
> to do to make this work ?
>

--


        Atenciosamente / Sincerily,
        Leonardo Rodrigues
        Solutti Tecnologia
        http://www.solutti.com.br

        Minha armadilha de SPAM, NÃO mandem email
        [hidden email]
        My SPAMTRAP, do not email it



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS sites specifics URL

Dante F. B. Colò
Hi Leonardo,

Thanks for your reply,I tried SSL Bump under client-first and
server-first modes both didn't work, Squid version is 3.4.14 running
under OpenBSD 5.6 and 5.7 test boxes, i also increased verbosity log to
9 of the URL Parsing debug section to see if shows something useful , i
'll post here my squid.conf and debug output from cache.log, if you  
have some suggestion tell me please.

2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
skipped duplicate profile: asndb
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
skipped duplicate profile: carp
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
skipped duplicate profile: userhash
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
skipped duplicate profile: sourcehash
2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
skipped duplicate profile: server_list
2016/12/06 19:32:39.446 kid1| Finished loading MIME types and icons.
2016/12/06 19:32:39.469 kid1| src/base/AsyncCallQueue.cc(51) fireNext:
entering clientListenerConnectionOpened(local=172.17.198.19:3128
remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
2016/12/06 19:32:39.470 kid1| src/base/AsyncCall.cc(30) make: make call
clientListenerConnectionOpened [call27542]
2016/12/06 19:32:39.470 kid1| Accepting SSL bumped HTTP Socket
connections at local=172.17.198.19:3128 remote=[::] FD 18 flags=9
2016/12/06 19:32:39.470 kid1| src/base/AsyncCallQueue.cc(53) fireNext:
leaving clientListenerConnectionOpened(local=172.17.198.19:3128
remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(220) doAccept: New
connection on FD 18
2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(295) acceptNext:
connection on local=172.17.198.19:3128 remote=[::] FD 18 flags=9
2016/12/06 19:33:05.727 kid1| src/client_side.cc(2407) parseHttpRequest:
HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9 flags=1
2016/12/06 19:33:05.727 kid1| src/client_side.cc(2408) parseHttpRequest:
HTTP Client REQUEST:
---------
CONNECT www.sans.org:443 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
Gecko/20100101 Firefox/45.0
Proxy-Connection: keep-alive
Connection: keep-alive
Host: www.sans.org:443
Proxy-Authorization: Basic amVjYS50YXR1OjEyMzQ=


----------
2016/12/06 19:33:05.727 kid1| src/url.cc(386) urlParse: urlParse: Split
URL 'www.sans.org:443' into proto='', host='www.sans.org', port='443',
path=''
2016/12/06 19:33:05.727 kid1| Starting new basicauthenticator helpers...
2016/12/06 19:33:05.727 kid1| helperOpenServers: Starting 1/8
'basic_ncsa_auth' processes
2016/12/06 19:33:05.762 kid1| src/auth/User.cc(342) addIp: user
'jeca.tatu' has been seen at a new IP address (172.17.200.11:50974)
2016/12/06 19:33:05.763 kid1| src/client_side_request.cc(759)
clientAccessCheckDone: The request CONNECT www.sans.org:443 is DENIED;
last ACL checked: all
2016/12/06 19:33:05.763 kid1| src/errorpage.cc(1278) BuildContent: No
existing error page language negotiated for ERR_ACCESS_DENIED. Using
default error file.
2016/12/06 19:33:05.764 kid1| src/store.cc(1011) checkCachable:
StoreEntry::checkCachable: NO: not cachable
2016/12/06 19:33:05.764 kid1| src/client_side.cc(785) setAuth: Adding
connection-auth to local=172.17.198.19:3128 remote=172.17.200.11:50974
FD 9 flags=1 from SSL-bumped CONNECT
2016/12/06 19:33:05.767 kid1| src/client_side.cc(3562)
clientNegotiateSSL: clientNegotiateSSL: Session 0x8b414f73400 reused on
FD 9 (172.17.200.11:50974)
2016/12/06 19:33:05.768 kid1| src/client_side.cc(2407) parseHttpRequest:
HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9 flags=1
2016/12/06 19:33:05.768 kid1| src/client_side.cc(2408) parseHttpRequest:
HTTP Client REQUEST:
---------
GET /programs HTTP/1.1
Host: www.sans.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie:
QSI_HistorySession=http%3A%2F%2Fwww.sans.org%2Fprograms~1486478958014
Connection: keep-alive


----------
2016/12/06 19:33:05.768 kid1| src/url.cc(386) urlParse: urlParse: Split
URL 'https://www.sans.org/programs' into proto='https',
host='www.sans.org', port='443', path='/programs'
2016/12/06 19:33:05.768 kid1| src/client_side_reply.cc(1969)
processReplyAccessResult: The reply for GET
https://www.sans.org/programs is ALLOWED, because it matched
'(access_log daemon:/var/squid/logs/access.log line)'
2016/12/06 19:33:05.769 kid1| src/client_side.cc(1459)
sendStartOfMessage: HTTP Client local=172.17.198.19:3128
remote=172.17.200.11:50974 FD 9 flags=1
2016/12/06 19:33:05.769 kid1| src/client_side.cc(1460)
sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 403 Forbidden
Server: squid/3.4.12
Mime-Version: 1.0
Date: Tue, 06 Dec 2016 21:33:05 GMT
Content-Type: text/html
Content-Length: 3342
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from openbsd57vm01
Via: 1.1 openbsd57vm01 (squid/3.4.12)
Connection: close

#################################################################

my squid.conf

cache_dir ufs /var/squid/cache 2048 16 256
cache_log /var/squid/logs/cache.log
cache_store_log daemon:/var/squid/logs/store.log
cache_mem 256 mb
max_filedescriptors 32768
acl eu src 172.17.200.11
acl SSL_ports port 443
acl CONNECT method CONNECT
debug_options ALL,2 23,9
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager
auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth
/etc/squid/squid-passwd
auth_param basic children 8
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl password proxy_auth REQUIRED
acl jeca.tatu proxy_auth jeca.tatu
acl restrito url_regex -i  "/etc/squid/acl/restrito"
http_access allow password jeca.tatu restrito
http_access deny all

http_port 172.17.198.19:3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=8MB key=/etc/squid/pki/test.private
cert=/etc/squid/pki/test.cert
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
always_direct allow all
ssl_bump client-first all
sslproxy_cert_error allow all
sslproxy_cert_error allow BadSite
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db
-M 8MB
sslcrtd_children 7 startup=1 idle=1

coredump_dir /var/squid/cache


refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320




On 2/6/17 2:28 PM, Leonardo Rodrigues wrote:

>
>     That's correct, when not using SSL-Bump feature (that's the one
> you're looking for), squid will only see the domain part. All the rest
> of the URL is crypted and visible only to the client (browser) and the
> server on the other side, the only two parts involved on that crypto
> session.
>
>     To enable squid to see the whole URL and be able to do full
> filtering on HTTPS requests, you're looking for SSL-Bump feature.
> Google for it, there's a LOT of tutorials and mailing list messages on
> that.
>
>
> Em 06/02/17 12:40, Dante F. B. Colò escreveu:
>> Hello Everyone
>>
>> I have a question , probably a noob one , i 'm trying to allow some
>> https sites with specific URL's  (i mean
>> https://domain.tld/blablabla) but https sites are working  only with
>> the domain part , what i have to do to make this work ?
>>
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS sites specifics URL

Amos Jeffries
Administrator
On 8/02/2017 4:04 a.m., Dante F. B. Colò wrote:

> Hi Leonardo,
>
> Thanks for your reply,I tried SSL Bump under client-first and
> server-first modes both didn't work, Squid version is 3.4.14 running
> under OpenBSD 5.6 and 5.7 test boxes, i also increased verbosity log to
> 9 of the URL Parsing debug section to see if shows something useful , i
> 'll post here my squid.conf and debug output from cache.log, if you
> have some suggestion tell me please.
>
> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> skipped duplicate profile: asndb
> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> skipped duplicate profile: carp
> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> skipped duplicate profile: userhash
> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> skipped duplicate profile: sourcehash
> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
> skipped duplicate profile: server_list
> 2016/12/06 19:32:39.446 kid1| Finished loading MIME types and icons.
> 2016/12/06 19:32:39.469 kid1| src/base/AsyncCallQueue.cc(51) fireNext:
> entering clientListenerConnectionOpened(local=172.17.198.19:3128
> remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
> 2016/12/06 19:32:39.470 kid1| src/base/AsyncCall.cc(30) make: make call
> clientListenerConnectionOpened [call27542]
> 2016/12/06 19:32:39.470 kid1| Accepting SSL bumped HTTP Socket
> connections at local=172.17.198.19:3128 remote=[::] FD 18 flags=9
> 2016/12/06 19:32:39.470 kid1| src/base/AsyncCallQueue.cc(53) fireNext:
> leaving clientListenerConnectionOpened(local=172.17.198.19:3128
> remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
> 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(220) doAccept: New
> connection on FD 18
> 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(295) acceptNext:
> connection on local=172.17.198.19:3128 remote=[::] FD 18 flags=9
> 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2407) parseHttpRequest:
> HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9
> flags=1
> 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2408) parseHttpRequest:
> HTTP Client REQUEST:
> ---------
> CONNECT www.sans.org:443 HTTP/1.1
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
> Gecko/20100101 Firefox/45.0
> Proxy-Connection: keep-alive
> Connection: keep-alive
> Host: www.sans.org:443
> Proxy-Authorization: Basic amVjYS50YXR1OjEyMzQ=
>
>
> ----------
...
> 2016/12/06 19:33:05.762 kid1| src/auth/User.cc(342) addIp: user
> 'jeca.tatu' has been seen at a new IP address (172.17.200.11:50974)

... the "password" ACL works.

... the "jeca.tatu" ACL is redundant.

> 2016/12/06 19:33:05.763 kid1| src/client_side_request.cc(759)
> clientAccessCheckDone: The request CONNECT www.sans.org:443 is DENIED;
> last ACL checked: all

... the "restrito" ACL does not match "www.sans.org:443".

... the "deny all" blocks this CONNECT request.


> 2016/12/06 19:33:05.764 kid1| src/client_side.cc(785) setAuth: Adding
> connection-auth to local=172.17.198.19:3128 remote=172.17.200.11:50974
> FD 9 flags=1 from SSL-bumped CONNECT

... Squid then goes on a bumps the request. But only so that it can
deliver the error message in a way which browsers will display.

> 2016/12/06 19:33:05.767 kid1| src/client_side.cc(3562)
> clientNegotiateSSL: clientNegotiateSSL: Session 0x8b414f73400 reused on
> FD 9 (172.17.200.11:50974)
...

> 2016/12/06 19:33:05.769 kid1| src/client_side.cc(1460)
> sendStartOfMessage: HTTP Client REPLY:
> ---------
> HTTP/1.1 403 Forbidden
> Server: squid/3.4.12
> Mime-Version: 1.0
> Date: Tue, 06 Dec 2016 21:33:05 GMT
> Content-Type: text/html
> Content-Length: 3342
> X-Squid-Error: ERR_ACCESS_DENIED 0
> Vary: Accept-Language
> Content-Language: en
> X-Cache: MISS from openbsd57vm01
> Via: 1.1 openbsd57vm01 (squid/3.4.12)
> Connection: close
>
> #################################################################
>
> my squid.conf
>
...

> acl password proxy_auth REQUIRED
> acl jeca.tatu proxy_auth jeca.tatu
> acl restrito url_regex -i  "/etc/squid/acl/restrito"
> http_access allow password jeca.tatu restrito
> http_access deny all
>
> http_port 172.17.198.19:3128 ssl-bump generate-host-certificates=on
> dynamic_cert_mem_cache_size=8MB key=/etc/squid/pki/test.private
> cert=/etc/squid/pki/test.cert
> acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
> always_direct allow all

You dont need that "always_direct allow all". It was a workaround for a
3.1 bug which is long since fixed.

> ssl_bump client-first all

> sslproxy_cert_error allow all
> sslproxy_cert_error allow BadSite
> sslproxy_flags DONT_VERIFY_PEER

Remove the "allow all" and DONT_VERIFY_PEER lines. They are very bad,
partiularly for testing. You *want* to see what problems are when debugging.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS sites specifics URL

Dante F. B. Colò
Hi Amos,

What i'm trying to do is allow the url "www.sans.org/programs" as an
example, the acl  file "restrito" contain this URL but it's not working,
https urls are working only with the domain part which in this case i
have to remove "/programs"



On 2/8/17 1:40 AM, Amos Jeffries wrote:

> On 8/02/2017 4:04 a.m., Dante F. B. Colò wrote:
>> Hi Leonardo,
>>
>> Thanks for your reply,I tried SSL Bump under client-first and
>> server-first modes both didn't work, Squid version is 3.4.14 running
>> under OpenBSD 5.6 and 5.7 test boxes, i also increased verbosity log to
>> 9 of the URL Parsing debug section to see if shows something useful , i
>> 'll post here my squid.conf and debug output from cache.log, if you
>> have some suggestion tell me please.
>>
>> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
>> skipped duplicate profile: asndb
>> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
>> skipped duplicate profile: carp
>> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
>> skipped duplicate profile: userhash
>> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
>> skipped duplicate profile: sourcehash
>> 2016/12/06 19:32:39.446 kid1| src/cache_manager.cc(89) registerProfile:
>> skipped duplicate profile: server_list
>> 2016/12/06 19:32:39.446 kid1| Finished loading MIME types and icons.
>> 2016/12/06 19:32:39.469 kid1| src/base/AsyncCallQueue.cc(51) fireNext:
>> entering clientListenerConnectionOpened(local=172.17.198.19:3128
>> remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
>> 2016/12/06 19:32:39.470 kid1| src/base/AsyncCall.cc(30) make: make call
>> clientListenerConnectionOpened [call27542]
>> 2016/12/06 19:32:39.470 kid1| Accepting SSL bumped HTTP Socket
>> connections at local=172.17.198.19:3128 remote=[::] FD 18 flags=9
>> 2016/12/06 19:32:39.470 kid1| src/base/AsyncCallQueue.cc(53) fireNext:
>> leaving clientListenerConnectionOpened(local=172.17.198.19:3128
>> remote=[::] FD 18 flags=9, err=0, HTTP Socket port=0x8b3fb9ff418)
>> 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(220) doAccept: New
>> connection on FD 18
>> 2016/12/06 19:33:05.727 kid1| src/comm/TcpAcceptor.cc(295) acceptNext:
>> connection on local=172.17.198.19:3128 remote=[::] FD 18 flags=9
>> 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2407) parseHttpRequest:
>> HTTP Client local=172.17.198.19:3128 remote=172.17.200.11:50974 FD 9
>> flags=1
>> 2016/12/06 19:33:05.727 kid1| src/client_side.cc(2408) parseHttpRequest:
>> HTTP Client REQUEST:
>> ---------
>> CONNECT www.sans.org:443 HTTP/1.1
>> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
>> Gecko/20100101 Firefox/45.0
>> Proxy-Connection: keep-alive
>> Connection: keep-alive
>> Host: www.sans.org:443
>> Proxy-Authorization: Basic amVjYS50YXR1OjEyMzQ=
>>
>>
>> ----------
> ...
>> 2016/12/06 19:33:05.762 kid1| src/auth/User.cc(342) addIp: user
>> 'jeca.tatu' has been seen at a new IP address (172.17.200.11:50974)
> ... the "password" ACL works.
>
> ... the "jeca.tatu" ACL is redundant.
>
>> 2016/12/06 19:33:05.763 kid1| src/client_side_request.cc(759)
>> clientAccessCheckDone: The request CONNECT www.sans.org:443 is DENIED;
>> last ACL checked: all
> ... the "restrito" ACL does not match "www.sans.org:443".
>
> ... the "deny all" blocks this CONNECT request.
>
>
>> 2016/12/06 19:33:05.764 kid1| src/client_side.cc(785) setAuth: Adding
>> connection-auth to local=172.17.198.19:3128 remote=172.17.200.11:50974
>> FD 9 flags=1 from SSL-bumped CONNECT
> ... Squid then goes on a bumps the request. But only so that it can
> deliver the error message in a way which browsers will display.
>
>> 2016/12/06 19:33:05.767 kid1| src/client_side.cc(3562)
>> clientNegotiateSSL: clientNegotiateSSL: Session 0x8b414f73400 reused on
>> FD 9 (172.17.200.11:50974)
> ...
>> 2016/12/06 19:33:05.769 kid1| src/client_side.cc(1460)
>> sendStartOfMessage: HTTP Client REPLY:
>> ---------
>> HTTP/1.1 403 Forbidden
>> Server: squid/3.4.12
>> Mime-Version: 1.0
>> Date: Tue, 06 Dec 2016 21:33:05 GMT
>> Content-Type: text/html
>> Content-Length: 3342
>> X-Squid-Error: ERR_ACCESS_DENIED 0
>> Vary: Accept-Language
>> Content-Language: en
>> X-Cache: MISS from openbsd57vm01
>> Via: 1.1 openbsd57vm01 (squid/3.4.12)
>> Connection: close
>>
>> #################################################################
>>
>> my squid.conf
>>
> ...
>> acl password proxy_auth REQUIRED
>> acl jeca.tatu proxy_auth jeca.tatu
>> acl restrito url_regex -i  "/etc/squid/acl/restrito"
>> http_access allow password jeca.tatu restrito
>> http_access deny all
>>
>> http_port 172.17.198.19:3128 ssl-bump generate-host-certificates=on
>> dynamic_cert_mem_cache_size=8MB key=/etc/squid/pki/test.private
>> cert=/etc/squid/pki/test.cert
>> acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
>> always_direct allow all
> You dont need that "always_direct allow all". It was a workaround for a
> 3.1 bug which is long since fixed.
>
>> ssl_bump client-first all
>> sslproxy_cert_error allow all
>> sslproxy_cert_error allow BadSite
>> sslproxy_flags DONT_VERIFY_PEER
> Remove the "allow all" and DONT_VERIFY_PEER lines. They are very bad,
> partiularly for testing. You *want* to see what problems are when debugging.
>
> Amos
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: HTTPS sites specifics URL

Amos Jeffries
Administrator
On 9/02/2017 1:07 a.m., Dante F. B. Colò wrote:
> Hi Amos,
>
> What i'm trying to do is allow the url "www.sans.org/programs" as an
> example, the acl  file "restrito" contain this URL but it's not working,
> https urls are working only with the domain part which in this case i
> have to remove "/programs"
>

You still have to first accept the client CONNECT request before you can
do anything with that requests data to find the path portion of the URL.

Amos

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users