squid SSL / TLS bumping

T

tOsYZYny

I would like to configure squid to cache SSL / TLS content. I've done it before, but cannot get it working. I have squid installed and this is my conf:

Code: 
acl localnet src 10.30.0.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

http_access allow localhost
http_access deny to_localhost
http_access deny to_linklocal
http_access deny all

#http_port 3128
https_port 3128 ssl-bump tls-cert=/usr/local/etc/squid/cert.pem tls-key=/usr/local/etc/squid/key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
ssl_bump bump all

cache_dir ufs /var/cache/squid 100 16 256
coredump_dir /var/cache/squid

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

When configuring my proxy server in firefox and navigating to https://lxer.com, I get:

Code: 
2026/01/18 12:32:02 kid1| ERROR: Cannot accept a TLS connection
    problem: failure
    error detail: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A0000C6+TLS_IO_ERR=1

I imported the same cert.pem in my /usr/local/etc/squid/cert.pem into firefox.

With my configuration above, I get this error:

Code: 
Performing sanity check on squid configuration.
2026/01/18 12:37:21| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2026/01/18 12:37:21| FATAL: ssl-bump on https_port requires tproxy/intercept which is missing.
2026/01/18 12:37:21| Not currently OK to rewrite swap log.
2026/01/18 12:37:21| storeDirWriteCleanLogs: Operation aborted.
2026/01/18 12:37:21| FATAL: Bungled /usr/local/etc/squid/squid.conf line 29: https_port 3128 ssl-bump tls-cert=/usr/local/etc/squid/cert.pem tls-key=/usr/local/etc/squid/key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
2026/01/18 12:37:21| Squid Cache (Version 7.3): Terminated abnormally.
CPU Usage: 0.010 seconds = 0.010 user + 0.000 sys
Maximum Resident Size: 69696 KB
Page faults with physical i/o: 0

Prior to the transparent proxy error, my config was (the relevant bits):
Code: 
https_port 3128 cert=/usr/local/etc/squid/cert.pem key=/usr/local/etc/squid/key.pem

I generated the squid cache dirs prior to starting squid:

Code: 
squid -z
 
did you see this fatal error in the config check output?
2026/01/18 12:37:21| FATAL: ssl-bump on https_port requires tproxy/intercept which is missing.
we'd look there first
 
Yes, I saw that, but is there perhaps a different way to do it? Does ssl bumping need to be transparent - I thought transparent was when the client did NOT specify the proxy and the firewall routed traffic to it.

In firefox, I am explicitly setting HTTPS proxy to the squid instance.
 
With this configuration, squid remains running:
Code: 
http_port 3127
https_port 3128 transparent ssl-bump tls-cert=/usr/local/etc/squid/cert.pem tls-key=/usr/local/etc/squid/key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
ssl_bump bump all

When I start squid these are the logs:
Code: 
2026/01/18 14:04:08| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2026/01/18 14:04:08| Starting Authentication on port [::]:3128
2026/01/18 14:04:08| Disabling Authentication on port [::]:3128 (interception enabled)
2026/01/18 14:04:08| Created PID file (/var/run/squid/squid.pid)
2026/01/18 14:04:08 kid1| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2026/01/18 14:04:08 kid1| Starting Authentication on port [::]:3128
2026/01/18 14:04:08 kid1| Disabling Authentication on port [::]:3128 (interception enabled)
2026/01/18 14:04:08 kid1| Set Current Directory to /var/cache/squid
2026/01/18 14:04:08 kid1| Starting Squid Cache version 7.3 for amd64-portbld-freebsd15.0...
2026/01/18 14:04:08 kid1| Service Name: squid
2026/01/18 14:04:08 kid1| Process ID 82604
2026/01/18 14:04:08 kid1| Process Roles: worker
2026/01/18 14:04:08 kid1| With 467145 file descriptors available
2026/01/18 14:04:08 kid1| Initializing IP Cache...
2026/01/18 14:04:08 kid1| DNS IPv6 socket created at [::], FD 7
2026/01/18 14:04:08 kid1| DNS IPv4 socket created at 0.0.0.0, FD 8
2026/01/18 14:04:08 kid1| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2026/01/18 14:04:08 kid1| helperOpenServers: Starting 5/32 'security_file_certgen' processes
2026/01/18 14:04:08 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2026/01/18 14:04:08 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2026/01/18 14:04:08 kid1| Unlinkd pipe opened on FD 24
2026/01/18 14:04:08 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2026/01/18 14:04:08 kid1| Store logging disabled
2026/01/18 14:04:08 kid1| Swap maxSize 102400 + 262144 KB, estimated 28041 objects
2026/01/18 14:04:08 kid1| Target number of buckets: 1402
2026/01/18 14:04:08 kid1| Using 8192 Store buckets
2026/01/18 14:04:08 kid1| Max Mem  size: 262144 KB
2026/01/18 14:04:08 kid1| Max Swap size: 102400 KB
2026/01/18 14:04:08 kid1| Rebuilding storage in /var/cache/squid (clean log)
2026/01/18 14:04:08 kid1| Using Least Load store dir selection
2026/01/18 14:04:08 kid1| Set Current Directory to /var/cache/squid
2026/01/18 14:04:08 kid1| Finished loading MIME types and icons.
2026/01/18 14:04:08 kid1| HTCP Disabled.
2026/01/18 14:04:08 kid1| Pinger socket opened on FD 30
2026/01/18 14:04:08 kid1| Squid plugin modules loaded: 0
2026/01/18 14:04:08 kid1| Adaptation support is off.
2026/01/18 14:04:08 kid1| Accepting HTTP Socket connections at conn13 local=[::]:3127 remote=[::] FD 27 flags=9
    listening port: 3127
2026/01/18 14:04:08 kid1| Accepting NAT intercepted SSL bumped HTTPS Socket connections at conn15 local=[::]:3128 remote=[::] FD 28 flags=41
    listening port: 3128
2026/01/18 14:04:08 kid1| Done reading /var/cache/squid swaplog (0 entries)
2026/01/18 14:04:08 kid1| Indexing cache entries: 0.00% (0 out of 1)
2026/01/18 14:04:08 kid1| Finished rebuilding storage from disk.
          0 Entries scanned
          0 Invalid entries
          0 With invalid flags
          0 Objects loaded
          0 Objects expired
          0 Objects canceled
          0 Duplicate URLs purged
          0 Swapfile clashes avoided
    Took 0.02 seconds (0.00 objects/sec).
2026/01/18 14:04:08 kid1| Beginning Validation Procedure
2026/01/18 14:04:08 kid1| Completed Validation Procedure
    Validated 0 Entries
    store_swap_size = 0.00 KB
2026/01/18 14:04:08 pinger| Initialising ICMP pinger ...
2026/01/18 14:04:08 pinger| ICMP socket opened.
2026/01/18 14:04:08 pinger| ICMPv6 socket opened
2026/01/18 14:04:09 kid1| storeLateRelease: released 0 objects

From the logs, that is what transparent seems to indicate to me, but that aside, in firefox, I have configured HTTPS proxy; however, it doesn't seem like it is rewriting because upon inspecting the certificate, I don't see my CA certificate there in the chain anywhere.

So, for this to work, do I need to go to PF and force outbound HTTPS connections to squid, but if I already have an HTTPS proxy, isn't it already telling it to go there?
 
Cool, I think I have it mostly sorted out now:

squid.conf:
Code: 
http_port 3127
https_port 3128 transparent ssl-bump tls-cert=/usr/local/etc/squid/cert.pem tls-key=/usr/local/etc/squid/key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
ssl_bump bump all

pf:
Code: 
rdr pass on wired inet proto tcp from any to any port = http -> $SQUID_IP port 3127
rdr pass on wired inet proto tcp from any to any port = https -> $SQUID_IP port 3128

Now, I am getting a squid access denied error, but I think that is a simple fix, I need to sort out my ACL.
 
Hmm, so, after fixing the permissions errors on the squid dirs, it is still having trouble with TLS connections:

Code: 
2026/01/18 14:49:25 kid1| ERROR: Cannot accept a TLS connection
    problem: failure
    error detail: SQUID_TLS_ERR_ACCEPT+TLS_LIB_ERR=A000418+TLS_IO_ERR=1

[No Error] (TLS code: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN+broken_cert)
Self-signed SSL Certificate in chain
Click to expand...


The certificate is in firefox. I am using the same exact certificate that I have in use for squid.

I think perhaps regardless of that, I need to generate the certificate differently. I need to generate a certificate request, then sign that :).

EDIT: It looks like squid is not happy with the self-signed certificate.
 
Hmm, this seems to show that a firewall redirection rule isn't required:

View: https://www.youtube.com/watch?v=ujmeqs_gr8A


@ 6:48, he shows roughly his squid configuration.
If you look about @ about 17:38 in, he is explicitly setting the proxy, both HTTP and HTTPS. Perhaps it is because squid was built differently?

Regardless of that, my error seems to indicate my certificate isn't proper, but I believe I followed the directions for a self-signed cert. It's been many years since I did SSL and whenever I did I recall having a separate Certificate Authority certificate and key. My understanding is that I am generating the Certificate Authority certificate and key and then squid is dynamically generating certificates from my CA, so that is why there is only 1 pair.

Having said that, I'm confused why my apparently squid isn't happy with my SSL certificates. This is one of the pages I am referencing on squid:

Intercept HTTPS CONNECT messages with SSL-Bump

Squid Web Cache documentation
wiki.squid-cache.org wiki.squid-cache.org
 
I've been playing with this for a while and it appears that Firefox does not like my SSL CA Certificate. I think the error I am getting is unknown issuer. Even though I have that certificate in Firefox and it is set to identify websites, Firefox still isn't happy.
 
You must log in or register to reply here.
Back
Top