> But I can't get it to work.The logs appeared to indicate that URLs in
> the whitelist were first denied then bumped:
> 14/Nov/2019:08:46:25 -0800 192.168.2.43 TCP_DENIED/- 0 CONNECT
> 126.96.36.199:443 - HIER_NONE/- - www.headroyce.org
> 14/Nov/2019:08:46:25 -0800 192.168.2.43 NONE/- 3793 GET
> https://www.headroyce.org/ - HIER_NONE/- text/html www.headroyce.org
> I think that the ACLs are trying to match a spliced connection against
> the IP address rather than SNI server name.
> Any idea what I'm doing wrong here?
If you only want to act based on SNI, then do not use an http_access
rule during step1 when SNI is not yet known. There may be several ways
to accomplish that. However, in most cases, you want to act ASAP,
regardless of whether the [sufficient] information came from the TCP
layer or the TLS layer. If that is your use case, then it is OK to apply
the http_access rule during step1 as well (assuming your ACL will simply
not match when there is not enough information yet).
> http_access allow whitelist
Even if the request is for an "unsafe" port? I doubt you want this rule
so high. See squid.conf.default for the recommended access controls order.