SQUID does not block http sites, why?

There is a squid server 3.5.28, everything works but one doesn't block the sites specified in the file (/opt/squid/etc/blocked_reklama) when accessed via the http Protocol, but when accessing via https well locks. I can not understand this behavior, where and what to fix?
Config:
spoiler
#For authorization via AD
auth_param negotiate program /opt/squid/libexec/negotiate_kerberos_auth -s HTTP/xxx.xx.xx
auth_param negotiate children 40 startup=0 idle=1
auth_param negotiate keep_alive on

acl localnet src 10.16.0.0/16 # RFC1918 possible internal network
pcname acl srcdomain "/opt/squid/etc/block_comp_name" # of computers computer names file block_comp_name 
nohttps acl dstdomain "/opt/squid/etc/no_https"
blocked_ads acl dstdomain "/opt/squid/etc/blocked_reklama" # sites to block (advertising)

acl userauth proxy_auth REQUIRED # authenticated user enters the group userauth

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl manager proto cache_object


http_access deny pcname #forbid access to the group pcname
http_access deny blocked_ads #Forbid access to the sites of these lists
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow userauth #Allow the Internet to authenticated users
http_access allow localnet #Allow Internet from our network
http_access allow localhost #Allow Internet locally
http_access deny all #deny all the rest


#################################################################################################################################
#For http transparent proxy
http_port 3129 intercept
#For https without replacing the certificate
#https_port 3130 intercept
https_port 3130 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/opt/squid/etc/squidCA.pem
always_direct allow all
blocked_ads_ssl acl ssl::server_name "/opt/squid/etc/blocked_reklama" # sites to block (advertising, etc.)
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked_ads_ssl #Close the connection to the site
ssl_bump bump userauth !nohttps #Decrypted traffic for the users group userauth in addition to sites from file no_https
ssl_bump splice all #Without decoding all the rest

#################################################################################################################################
http_port 3128 ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/opt/squid/etc/adkey.pem
sslcrtd_program /opt/squid/libexec/ssl_crtd -s /opt/squid/var/squid3_ssldb -M 4MB
sslcrtd_children 10

always_direct allow all # do not use the cache

sslproxy_cert_error allow all #allow to handle the request when a certificate validation error in the web site
sslproxy_flags DONT_VERIFY_PEER #disables the check for the list of default CA and accepts the certificate, the publisher of which is unknown

ssl_bump server-first all #the mode to establish a connection first with the web server, then the SSL connection with the client

coredump_dir /opt/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320


max_filedescriptors 4096
cache_replacement_policy GDSF
persistent_connection_after_error off #after the occurrence of the HTTP error, Squid stops using persistent connection with this client

icap_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
#icap_service_failure_limit 10 in 5 seconds After making 10 errors in 5 seconds pauses using icap
icap_service service_avi_req reqmod_precache icap://127.0.0.1:1344/virus_scan bypass=on
service_avi_req allow all adaptation_access
icap_service service_avi_resp respmod_precache icap://127.0.0.1:1344/virus_scan bypass=on
service_avi_resp allow all adaptation_access

logfile_rotate 0



The contents of the file /opt/squid/etc/blocked_reklama
spoiler
www.mult.ru
www.securitylab.ru



With this config access https://www.securitylab.ru closed and www.mult.ru perfectly comes, sites listed just for the test, then will be replaced by others. squidguard use not to offer, should and so to work. What did I miss?

squid-v
Squid Cache: Version 3.5.28
Service Name: squid

This binary uses OpenSSL 1.0.2 n 7 Dec 2017. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options: '--prefix=/opt/squid' '--with-large-files' '--enable-ssl' '--enable-ssl-crtd' '--enable-ltdl-convenienc' '--enable-auth-negotiate=kerberos,wrapper' '--enable-icap-client' '--with-openssl=/opt/openssl-1.0.2 p' '--enable-http-violations' --enable-ltdl-convenience
March 12th 20 at 08:39
2 answers
March 12th 20 at 08:41
Solution
The question is removed, recompiled my squid with the same parameters and it worked... wonders...
March 12th 20 at 08:43
the logs will save you
Are there any ACLs from the top down and all that
Yes, that's the fact of the matter is that the acl top))) the Logs while you do the track did not say((( Okay it did not work filtering https? so in fact the opposite, not working that should work out of the box((( - Belle.Pfannersti commented on March 12th 20 at 08:46
well squid muddy, I too was busy, but for a long time

remember there is something like that if login permitted all, ostatnie ACL fly, etc.

ishite crossing - may_Bechtel commented on March 12th 20 at 08:49

Find more questions by tags Squid