Warning: Any example presented here is provided "as-is" with no support or guarantee of suitability. If you have any further questions about these examples please email the squid-users mailing list.
How to pass Telegram
Starting from version 0.10.11 (for tdesktop) Telegram client uses a pinned TLS connection during bootstrap connection to 22.214.171.124/22 or 126.96.36.199/22. So SSL-Bump proxy must be configured to splice initial connection from Telegram to server:
# SSL-bump rules acl DiscoverSNIHost at_step SslBump1 # Splice Telegram bootstrap acl NoSSLIntercept ssl::server_name_regex 149\.154\.16[4-7]\. 149\.154\.17[2-5]\. ssl_bump peek DiscoverSNIHost ssl_bump splice NoSSLIntercept ssl_bump bump all
It also can be used as a block tool for Telegram - just remove Telegram net from splice ACL.
How to block Telegram
Telegram uses own protocol (MProto) which can utilize TCP, SOCKS, or HTTP tunneling. To block Telegram you must use a complex configuration blocking all of those channels.
NOTE: Telegram is really difficult to block. It can use 80 port with own tunnelling, SOCKS4/5, Tor, etc. AFAIK, Tor is impossible to completely block in any way if you can't block Tor's SOCKS entry point and/or any SOCKS proxies.
To block Telegram you need to block SOCKS protocol (by any way) in your network, and ban Telegram access point with 188.8.131.52/22 and 184.108.40.206/22 networks.
The simplest way to block Telegram is use Cisco and write ACL:
remark Ban Telegram deny ip any 220.127.116.11 255.255.252.0 deny ip any 18.104.22.168 255.255.252.0
This prevents Telegram clients from authenticating so it fails to connect.
Squid Configuration File
Paste the configuration file like this:
acl Telegram dst 22.214.171.124/22 acl Telegram dst 126.96.36.199/22 http_access deny Telegram
This only affects Telegram clients using HTTP proxy settings. On interception proxy it will works also with Telegram clients AUTO mode (the default).