Ahoy! On my old post on TRANSPARENT SQUID there is an existing problem where https or port 443 can get through because SQUID does not cache SSL. Try visitng https://www.google.com from my old configuration and see that it can pass thru.
Here on my post I added this config from my previous post to block certain IP range or non-internet users group. Place the rule below the "DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy".
# Sample of IP range to be blocked
$ipt -t nat -A PREROUTING -i $LAN -m iprange --src-range 192.168.1.200-192.168.1.250 -p tcp --dport 443 -j DNAT --to 192.168.1.1:3128
$ipt -A FORWARD -p tcp -i $LAN -m iprange --src-range 192.168.1.200-192.168.1.250 --dport 443 -j REJECT
After this all https request from the IP range declared above will be rejected.
Note that If a certain application needs to connect to an SSL connection but the user is in the blocked list you will need to manually hand code the proxy IP to the client PC application and add to the SQUID rules the url that needs to be given access. This way the server will be the one giving SSL connection thru proxy and we can retain the transparent proxy configuration.
