@gwaitsi Unfortunately I doesn't know, something wrong maybe with you CA. I done this before without any issue. It must process with success by cert install. No download needed. Can you try create new CA over Cert Manager and try again?

Some applications do not work well with PAC file. Are you using authentication ? Based on your config, it seems that you are bumping everything, tried splice all? Based on the problems I had, I found this: Some apps can work with PAC file, others not. Some apps can work with proxy authentication, like Kerberos for an exemple, others not. So, sometimes you will see Access Denied in Squid, because the apps like Pokerstars for an example are not carrying credentials to the proxy. Here, I have a Squid proxy with SSO, using Kerberos. Some apps don't work if I set Direct at the PAC file, however, they do work when I set a bypass like this: before_auth: acl whitelist dstdomain .pokerstars.com .dropbox.com <---- This allow everything to pokerstars.com and dropbox.com to go through the proxy without authentication auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -k /usr/local/etc/squid/mykeytab.keytab auth_param negotiate children 100 auth_param negotiate keep_alive on http_access allow whitelist <----- This allow whitelist before auth is required acl auth proxy_auth REQUIRED http_access deny !auth http_access allow auth

ACME/Let's Encrypt is the best thing to do here, assuming you have a public domain available you can leverage and a supported DNS provider.

There must be a domain involved that you aren't blocking. If you see them watching YouTube, check Squid's access log to see where they actually are going.

Hmm, you could try using the url mode redirect method. Or maybe one of the other redirect methods. Steve

Those are probably CDNs hosting the videos, and you may end up playing whack-a-mole trying to whitelist them all. Either allow IP addresses globally, or create an ACL for just your wife and allow them there.

you can also force google and bing into safe mode

We did a hangout walk though on this. It explains everything you need to know: https://youtu.be/xm_wEezrWf4 Steve

How is any of that configured? What are those IP addresses? What's working/not working? Steve

@gwaitsi No. I just gave up on it. There was another package being developed that I tinkered with for a bit but it never showed up in the repo so I never moved to it. Any SSL intercept is a MITM attack. It works in our client's Sonicwall units without issue (except for the DOJ) by just a checkbox. I'd put so much time into trying to get this working I just gave up. I didn't realize it'd been 2 years since I last tried getting this working.

So, i did the changes and it worked. Thanks a lot man!

No I don't.. MITM is breaking the designed security of ssl/tls. Which is meant to be end-end client to server. And sure doesn't meet PCI compliance for example.. Just ask the internet what they think about MITM - which is what Kazakhstan gov is doing ;) https://blog.mozilla.org/blog/2019/08/21/mozilla-takes-action-to-protect-users-in-kazakhstan/ If your goal is "spying" then sure its a great idea! Is your goal to spy on you users - you know intercept their back logins, medial record access, etc. There technical reasons why you would offload the ssl connection to a different box - security would not be one of them. Other than say the end server doesn't support or can not run https, so you offload that sort of thing. At any point you intercept the stream and decode it (so you can view it).. .How does that make the end user feel more secure? Is your backend not secure? If what you want is to offload the ssl to something else, and put your server behind a reverse proxy ok sure.. Its your server - but what is the pointy of ssl to the backend then - unless your backend is not secure? But yes you can do what your describing -- I do it for my plex server actually? and my ombi server (I just offload the ssl to the ha proxy) the connection to the backend is just then http. With my plex, since behind a cloudflare reverse proxy, and then my ha proxy to be able to share the 443 port it is technically doing mitm... But its just easier - its using whatever cert plex is serving up, etc. And its my server sort of thing.. So the reasons its being done is pure technical in the case of plex. While the case of ombi in my case its more secure because now the traffic is encrypted over the public internet via ssl, but not on my backend because my backend is secure and the ombi system doesn't have native ssl support, etc. I didn't not put i a reverse proxy and do mitm on it because its "more" secure then just direct connections to the server - I did the mitm to be able to share the 443 port with other services, etc.

For rare http sites, you should get the default squidguard block page. Because of how https works, blocked https sites will result in a browser error page.

thread is obsolete now (at least for us): moved the containers to an external host and solved the forwarding within traefik. thanks all ...

Deleting squid logs will have no effect on how it works. If you delete logs and then restart squid, it will create a new log and continue. Perhaps if you take the time to explain your problem and show your settings?....