This is a bit dangerous. Any non-intermediates Ca certs in that PEM file
will allow remote hijacking of your proxy outbound connections by
clients of that root CA.
That said, you already completely disabled *ALL* verify checks on the
server certs with DONT_VERIFY_PEER - so anyone can already hijack your
traffic without needing to go to the trouble of even having their certs
signed. All they need is some garbage bytes that use the correct X.509
_format_ used by certs.
After you upgrade your Squid, change that to
sslproxy_foreign_intermediate_certs which will only load intermediate
certs for use. If your upgraded Squid does not accept that directive it
is still too old to use safely for SSL-Bump.
What are the http_port and https_port lines you are using?
> First , i can block facebook by use this command :
> acl facebook dstdomain .facebook.com <http://facebook.com>
> http_access deny CONNECT facebook
You can only block domains like that if;
a) you are using explicit proxy and the client sent a CONNECT with a
domain name, or
b) its IP address rDNS points back to the domain you are naming in the
c) the client sends TLS SNI details *and* your ssl_bump rules make
that detail available to Squid (eg. peek).
Pay particular attention to what info is available at each "step" - and
also what is *not* available.
> But it is not effect with https://remitano.com > I try to use these command but it's not work:
> acl blockregexurl url_regex -i ^http[s]?:\/\/.*\.remitano\.com\/(/vn)
> http_access deny blockregexurl
> http_access deny CONNECT blockregexurl
The regex pattern is looking for an absolute-form URL which will never
exist in any CONNECT messages, since they always use authority-form URL.
That first http_access line might work *if* you already bumped the HTTPS
traffic. The second never will.
Same issues mentioned above about the facebook dstdomain ACL as to when
these dstdomain ACLs will match.
Except that here the "deny foo" lines that go first without mentioning
CONNECT will match all the same things as the CONNECT line would -
meaning they already block all traffic even stuff not using CONNECT
tunnels. So the mention of CONNECT in these lines is pointless, and you
can completely remove the lines which use it without changing the proxy