There must be a domain involved that you aren't blocking. If you see them watching YouTube, check Squid's access log to see where they actually are going.

Hmm, you could try using the url mode redirect method. Or maybe one of the other redirect methods. Steve

Those are probably CDNs hosting the videos, and you may end up playing whack-a-mole trying to whitelist them all. Either allow IP addresses globally, or create an ACL for just your wife and allow them there.

you can also force google and bing into safe mode

We did a hangout walk though on this. It explains everything you need to know: https://youtu.be/xm_wEezrWf4 Steve

How is any of that configured? What are those IP addresses? What's working/not working? Steve

@gwaitsi No. I just gave up on it. There was another package being developed that I tinkered with for a bit but it never showed up in the repo so I never moved to it. Any SSL intercept is a MITM attack. It works in our client's Sonicwall units without issue (except for the DOJ) by just a checkbox. I'd put so much time into trying to get this working I just gave up. I didn't realize it'd been 2 years since I last tried getting this working.

So, i did the changes and it worked. Thanks a lot man!

No I don't.. MITM is breaking the designed security of ssl/tls. Which is meant to be end-end client to server. And sure doesn't meet PCI compliance for example.. Just ask the internet what they think about MITM - which is what Kazakhstan gov is doing ;) https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/ If your goal is "spying" then sure its a great idea! Is your goal to spy on you users - you know intercept their back logins, medial record access, etc. There technical reasons why you would offload the ssl connection to a different box - security would not be one of them. Other than say the end server doesn't support or can not run https, so you offload that sort of thing. At any point you intercept the stream and decode it (so you can view it).. .How does that make the end user feel more secure? Is your backend not secure? If what you want is to offload the ssl to something else, and put your server behind a reverse proxy ok sure.. Its your server - but what is the pointy of ssl to the backend then - unless your backend is not secure? But yes you can do what your describing -- I do it for my plex server actually? and my ombi server (I just offload the ssl to the ha proxy) the connection to the backend is just then http. With my plex, since behind a cloudflare reverse proxy, and then my ha proxy to be able to share the 443 port it is technically doing mitm... But its just easier - its using whatever cert plex is serving up, etc. And its my server sort of thing.. So the reasons its being done is pure technical in the case of plex. While the case of ombi in my case its more secure because now the traffic is encrypted over the public internet via ssl, but not on my backend because my backend is secure and the ombi system doesn't have native ssl support, etc. I didn't not put i a reverse proxy and do mitm on it because its "more" secure then just direct connections to the server - I did the mitm to be able to share the 443 port with other services, etc.

For rare http sites, you should get the default squidguard block page. Because of how https works, blocked https sites will result in a browser error page.

thread is obsolete now (at least for us): moved the containers to an external host and solved the forwarding within traefik. thanks all ...

Deleting squid logs will have no effect on how it works. If you delete logs and then restart squid, it will create a new log and continue. Perhaps if you take the time to explain your problem and show your settings?....

Additionally Squid is affected another DoS CVE: CVE-2019-12525 and CVE-2019-12529 from 3.x to 3.5.28 and from 4.x to 4.7. Now in Package manager Squid version is 3.5.27.

@kiokoman below was the solution add Loopback to the Proxy Interfaces X-Forwarded Header Mode - Transparent (was - on previously) and importantly, there is a bug with the "Allow Users on Interface" - it doesn't work! ACls - Allowed Subnet still needs to have the subnet plus the localhost 192.168.0.0/24 127.0.0.1/32 another thing i found, switching from forwarding to transparent mode, it is necessary to reboot the router. Not enough to restart the service, or the same ICAP error will occur.

Mixing two tickets. Sorry. Well, you do it. Start small based on the information available, get one frontend and one backend working and go from there.

Figure out who is using all the bandwidth & how and then start limiting them somehow. Is this a family home? Roommates? A business? If it's streaming video or torrents (which make up the two of the biggest culprits) then good luck with squid. I decided to start paying an extra $20/m to move to an unlimited account for just this reason.

I was unable to access any HTTPS until "Resolve DNS IPv4 First" was enabled. Thank you, yes 'squidclient -h 127.0.0.1 -p 3128 mgr:info' is an invaluable resource. So many requests go through with no hassle that the Median Service Times look relatively normal.