I'm trying to do the same. I got success configuring c-icap to block a request.
Your srv_url_check.conf
seems to be incomplete. Mine is configured as follows:
Service urlcheck /usr/lib/x86_64-linux-gnu/c_icap/srv_url_check.so
url_check.LookupTableDB denyhosts url hash:/etc/c-icap/denyhosts.txt "Denied Host"
url_check.Profile denyProfile block denyhosts
url_check.ProfileAccess denyProfile all
The file denyhosts.txt, is a simple text file. Each line should contain a host to be block, such as:
mp3.com.au
xvideos.com
sex.com
And finally, you should uncomment line acl all src 0.0.0.0/0.0.0.0
into c-icap.conf
.
Start your c-icap server like /usr/bin/c-icap -D -N -d 1
(adjust the log level (-d) as you wish) and test it using /usr/bin/c-icap-client -s url_check -req http://sex.com -v -d 1
.
As a response, you will receive:
ICAP HEADERS:
ICAP/1.0 200 OK
Server: C-ICAP/0.4.2
Connection: keep-alive
ISTag: CI0001-XXXXXXXXX
X-ICAP-Profile: denyProfile
X-Attribute: denyhosts
X-Attribute-Prefix: 7
X-Response-Info: BLOCKED
X-Response-Desc: URL category denyhosts is BLOCKED
Encapsulated: res-hdr=0, res-body=108
RESPMOD HEADERS:
HTTP/1.0 403 Forbidden
Server: C-ICAP
Content-Type: text/html
Connection: close
Content-Language: en
This is what I did so far...
By the time the https traffic arrives at the transparent proxy there's only the IP "visible": not enough information to recreate the connect request and proxy it.
When you set a proxy in your browser (manually, or by proxy.pac) the browser knows to send more info to the proxy about what it wants.
Some proxies can use SNI information to transparently proxy a majority of SSL traffic - and then either domain filter it (from the sni info) or MITM it and do a full filtering job. I work for a supplier of one such filter - Smoothwall (who also employ dansguardian Dan).
Best Answer
Whenever the Squid configuration is reloaded, everything Squid does is paused.
I suggest to use ufdbGuard, a free URL filter for Squid. When ufdbGuard reloads the URL database there is no negative effect for Squid or users browsing. One can download ufdbGuard from SourceForge and URLfilterDB.