diff --git a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index 8c01e6af79..95d9eca186 100644
--- a/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/www/squid/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -346,6 +346,22 @@
true
Create a list of sites which may not be inspected, for example bank sites. Prefix the domain with a . to accept all subdomains (e.g. .google.com).
+
+ proxy.forward.ssl_sni_block_sites
+
+ select_multiple
+
+ true
+ Create a list of sites which must be blocked by SSL SNI domain. Prefix the domain with a . to accept all subdomains (e.g. .google.com).
+
+
+ proxy.forward.ssl_sni_block_excludeip
+
+ select_multiple
+
+ true
+ Create a list of IP addresses.
+
proxy.forward.workers
diff --git a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index d870282407..9f31440120 100644
--- a/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/www/squid/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -263,6 +263,20 @@
sslurlonly
+
+ When enabling "Block connections by SSL SNI", SSL inspection must also be enabled.
+ DependConstraint
+
+ ssl_sni_block_sites
+
+
+
+ When enabling "Exclude IP from SSL inspection and SNI based blocking", SSL inspection must also be enabled.
+ DependConstraint
+
+ ssl_sni_block_excludeip
+
+
@@ -282,6 +296,25 @@
/^([a-zA-Z0-9\.:\[\]\s\-]*?,)*([a-zA-Z0-9\.:\[\]\s\-]*)$/
Please enter ip addresses or domain names here.
+
+ /^([a-zA-Z0-9\.:\[\]\s\-]*?,)*([a-zA-Z0-9\.:\[\]\s\-]*)$/
+ Please enter ip addresses or domain names here.
+ Y
+
+
+ sslbump.check002
+
+
+
+
+ N
+ Y
+
+
+ sslbump.check003
+
+
+
1
100
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
index 113237f505..7b6ce944cb 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
@@ -5,6 +5,8 @@ error_directory_in:/usr/local/etc/squid/error_directory.in
externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
newsyslog.conf:/etc/newsyslog.conf.d/squid
nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
+ssl_sni_block_sites.acl:/usr/local/etc/squid/ssl_sni_block_sites.acl
+ssl_sni_block_excludeip.acl:/usr/local/etc/squid/ssl_sni_block_excludeip.acl
parentproxy.conf:/usr/local/etc/squid/pre-auth/parentproxy.conf
post-auth.conf:/usr/local/etc/squid/post-auth/dummy.conf
pre-auth.conf:/usr/local/etc/squid/pre-auth/dummy.conf
diff --git a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index 1134b1a9ee..fdb9d961a3 100644
--- a/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/www/squid/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -69,17 +69,46 @@ acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
+{% if helpers.exists('OPNsense.proxy.forward.ssl_sni_block_sites') and OPNsense.proxy.forward.ssl_sni_block_sites != '' %}
+acl bump_ssl_sni_block_sites ssl::server_name --consensus "/usr/local/etc/squid/ssl_sni_block_sites.acl"
+{% if helpers.exists('OPNsense.proxy.forward.ssl_sni_block_excludeip') and OPNsense.proxy.forward.ssl_sni_block_excludeip != '' %}
+acl bump_ssl_sni_block_excludeip src "/usr/local/etc/squid/ssl_sni_block_excludeip.acl"
+{% endif %}
+{% endif %}
-# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
-ssl_bump peek bump_step1 all
-ssl_bump splice all
-ssl_bump peek bump_step2 all
-ssl_bump splice bump_step3 all
-ssl_bump bump
+# configure bump - logging only config
+
+ssl_bump peek bump_step1
+
+{% if helpers.exists('OPNsense.proxy.forward.ssl_sni_block_sites') and OPNsense.proxy.forward.ssl_sni_block_sites %}
+{% if helpers.exists('OPNsense.proxy.forward.ssl_sni_block_excludeip') and OPNsense.proxy.forward.ssl_sni_block_excludeip != '' %}
+ssl_bump splice bump_step2 bump_ssl_sni_block_excludeip
+{% endif %}
+# terminate by SNI, splice anyway
+ssl_bump terminate bump_step2 bump_ssl_sni_block_sites
+{% else %}
+# no SNI blocking
+ssl_bump peek bump_step2
+{% endif %}
+
+ssl_bump splice bump_step3
{% else %}
-ssl_bump peek bump_step1 all
+
+# configure bump - transparent proxy config
+ssl_bump peek bump_step1
+{% if helpers.exists('OPNsense.proxy.forward.ssl_sni_block_sites') and OPNsense.proxy.forward.ssl_sni_block_sites != '' %}
+{% if helpers.exists('OPNsense.proxy.forward.ssl_sni_block_excludeip') and OPNsense.proxy.forward.ssl_sni_block_excludeip != '' %}
+# no SNI based blocking and bump on exluded IPs
+ssl_bump peek bump_step2 bump_ssl_sni_block_excludeip
+ssl_bump splice bump_step2 bump_ssl_sni_block_excludeip
+{% endif %}
+# SNI blocking
+ssl_bump terminate bump_step3 bump_ssl_sni_block_sites
+{% endif %}
+
+# no bump on sites
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2