I try to make a admin website, which control access to the internet. When I allow access on this site to a client ip, the site write this ip in a acl file and reload squid. This works fine – access is allowed. And when I remove the ip and reload squid, the client get blocked. But when I have acceded google (https!) before, then the access to google is still possible. After some minutes inactivitiy access is also blocked. So somebody can build a tunnel and keep the internet open for them.
Is it possible to force disconnect of open CONNECT sessions?
a little example:
acl allowed_dst dstdomain "/etc/squid/allowed_dst"
acl allowed_clients src "/etc/squid/allowed_clients"
http_access allow allowed_dst
http_access allow allowed_clients
http_access deny all
Best Answer
There is currently no way to do what you are asking from within Squid.
http_access ACLs are only evaluated when HTTP requests happen. Once a CONNECT message has setup a blind TCP tunnel to send the client data through it ceases to be HTTP, so even if Squid were to re-process ACLs it has no reason to process http_access rules ever again for a tunnel.
There are also many more ACL driven decisions that could have taken place and need to be re-evaluated. Some of them would have depended on previous ACL values and data which no longer exists. It is not as simple as a client just being allowed or denied.
The best thing to do is to have your script which is removing ACL entries followup the Squid reload by terminating at the TCP level any connections those clients have to the proxy. On Linux there is the "conntrack" tool to do that.