Why squid doesnt work with https sites

Question

I have setup a squid server which redirects USERS to http://testas.lt/, but it only works with HTTP sites, with HTTPS I get an error. Here's the code:

http_port 8080 intercept
http_port 3128

acl Safe_ports port 80 # http

http_access deny !Safe_ports
http_access allow localhost manager
http_access deny manager

acl users-net src 192.168.0.0/8

acl users               src 192.168.88.0/13

acl unknown            src 192.168.80.0/13

acl police-block        src 192.168.95.0./16



acl whitelist dstdomain .googleapis.com
acl whitelist dstdomain www.omdbapi.com
acl skola-www dstdomain testas.lt

http_access deny unknown

http_access allow users skola-www
http_access deny users

deny_info http://testas.lt users
http_access allow users-net whitelist


http_access allow localhost
http_access deny all

cache_mem 1024 MB
maximum_object_size_in_memory 2048 KB
coredump_dir /var/spool/squid3

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

If I try to open a site with HTTP, it redirects as expected, but if I try to open site with HTTPS:

with https://google.com logs:

1594793109.611      0 192.168.123.8 TCP_DENIED/302 354 CONNECT google.com:443 - HIER_NONE/- text/html

with http://y8.com test logs:

1594793421.805      0 192.168.123.8 TCP_DENIED/302 354 GET http://y8.com/ - HIER_NONE/- text/html
1594793422.155  26684 192.168.123.8 TCP_TUNNEL_ABORTED/200 4428 CONNECT testas.lt:443 - HIER_DIRECT/141.136.37.203 -

Answer 1

At the simplest level you've not defined any rules to allow HTTPS traffic to connect through squid. (At the more complex level you need to create trusted certificates so you can intercept and validate HTTPS traffic with ssl-bump. I'm not showing that here.)

acl CONNECT method CONNECT
acl SSL_ports port 443
acl Safe_ports port 443         # https
http_access deny CONNECT !SSL_ports