Transparent Proxy with SSL SNI only inspection and whitelist feature

Started by JDA, September 09, 2023, 11:49:51 PM

Previous topic - Next topic
I'm currently trying to set up my squid as proxy to restrict internet access to certain servers. As I don't want to update all the clients, I'm trying a transparent proxy with "Log SNI information only".
This works fine as long as I have the client in "Unrestricted IP addresses". The access log shows both a CONNECT to the IP and the actual servername. But as soon as I want to use the whitelist feature, it doesn't work -> I assume the ACL is evaluated too early in the bump/peak process (at_step acl option?).

Am I correct or is it just a layer 8 error?
Has anyone a working example on how to allow some https URLs with a transparent proxy without modifying the clients?

I tried a few variants, but my current solution right now is:
http_access allow bump_step1
acl whiteListSSL ssl::server_name login.microsoftonline.com
http_access allow whiteListSSL