Squid

Squid and ssl bump tricky acl?

squid 3.5 transparent proxy with https filtering. Users without a group can only visit allowed_urls. Users of extended_access_group can visit everything except denied_urls. Single acl for http and https. How to organize another group public_access_group with forbidden urls only for it and so that acl are the same for http and https?
And along the way, the connection is written to the log with https

1483937177 172.22.50.67 https://www.google.ru 200 0 peek
1483937177 172.22.50.67 https://www.google.ru 200 4306 splice

how to avoid writing with zero bytes?

acl https_port port 443.
logformat https %ts %>a https://%ssl::>sni %03Hs %<st %ssl::bump_mode.
cache_access_log /var/log/squid/access.log https https_port..
acl http_port port 80
logformat http %ts %>a %ru %03Hs %<st
cache_access_log /var/log/squid/access.log http http_port

acl CONNECT method CONNECT

acl denied_urls url_regex "/etc/squid/denied_urls"
acl allowed_urls url_regex "/etc/squid/allowed_urls"
acl extended_access_group src "/etc/squid/extended_access_group"

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager


http_access allow localnet CONNECT

http_access deny denied_urls

http_access deny !extended_access_group !allowed_urls

http_access allow localnet
http_access allow localhost
http_access deny all


http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump options=ALL:NO_SSLv3:NO_SSLv2 connection-auth=off cert=/etc/squid/squidCA.pem

always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER


acl allowed_urls_ssl ssl::server_name_regex "/etc/squid/allowed_urls"
acl denied_urls_ssl ssl::server_name_regex "/etc/squid/denied_urls"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate denied_urls_ssl
ssl_bump splice extended_access_group
ssl_bump terminate !allowed_urls_ssl
ssl_bump splice all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB