Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid transparent proxy + HTTPS

    Scheduled Pinned Locked Moved Cache/Proxy
    17 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wndrew @JonathanLee
      last edited by

      @JonathanLee Yes, proxy works in transparent mode

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee
        last edited by

        Just leave it in transparent mode than. Unless you need the other mode to inspect issues

        Make sure to upvote

        W 1 Reply Last reply Reply Quote 0
        • W
          wndrew @JonathanLee
          last edited by

          @JonathanLee What do you mean? I need access to those sites. What's may be the problem, because if I set this settings:

          ssl_bump peek all
          ssl_bump splice all
          

          everything opens fine

          JonathanLeeJ 1 Reply Last reply Reply Quote 0
          • JonathanLeeJ
            JonathanLee @wndrew
            last edited by

            @wndrew That should work also you're not bumping connections I have no issues with those websites.. did you create certificates ?

            Make sure to upvote

            W 1 Reply Last reply Reply Quote 0
            • W
              wndrew @JonathanLee
              last edited by

              @JonathanLee Yes, I have one
              2.png

              1 Reply Last reply Reply Quote 0
              • JonathanLeeJ
                JonathanLee
                last edited by

                How did you configure your squid ? Both transparent and ssl intercept? Loopback also?

                Make sure to upvote

                W 1 Reply Last reply Reply Quote 0
                • W
                  wndrew @JonathanLee
                  last edited by

                  @JonathanLee Yes, transparent and ssl intercept + loopback

                  JonathanLeeJ 2 Replies Last reply Reply Quote 1
                  • JonathanLeeJ
                    JonathanLee @wndrew
                    last edited by

                    @wndrew Those domains should work weird I never have issues with them

                    Make sure to upvote

                    1 Reply Last reply Reply Quote 0
                    • JonathanLeeJ
                      JonathanLee @wndrew
                      last edited by

                      @wndrew 🤔

                      This is my advanced config

                      http_access deny !safeports
                      http_access deny CONNECT !sslports
                      http_access allow localhost manager
                      http_access deny manager
                      cachemgr_passwd disable offline_toggle reconfigure shutdown
                      cachemgr_passwd reacted all
                      eui_lookup on
                      acl no_miss url_regex -i gateway\.facebook\.com\/ws\/realtime\?
                      acl no_miss url_regex -i web-chat-e2ee\.facebook\.com\/ws\/chat
                      acl CONNECT method CONNECT
                      acl wuCONNECT dstdomain www.update.microsoft.com
                      acl wuCONNECT dstdomain sls.microsoft.com
                      http_access allow CONNECT wuCONNECT localnet
                      http_access allow CONNECT wuCONNECT localhost
                      http_access allow windowsupdate localnet
                      http_access allow windowsupdate localhost
                      http_access allow HttpAccess localnet
                      http_access allow HttpAccess localhost
                      http_access deny manager
                      http_access deny to_ipv6
                      http_access deny from_ipv6
                      
                      acl BrokenButTrustedServers dstdomain "/usr/local/pkg/dstdom.broken"
                      acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
                      sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
                      sslproxy_cert_error deny all
                      
                      acl splice_only src 192.168.1.8 #Tasha iPhone
                      acl splice_only src 192.168.1.10 #Jon iPhone
                      acl splice_only src 192.168.1.11 #Amazon Fire
                      acl splice_only src 192.168.1.15 #Tasha HP
                      acl splice_only src 192.168.1.16 #iPad
                      
                      acl splice_only_mac arp redacted
                      acl splice_only_mac arp redacted
                      acl splice_only_mac arp redacted
                      acl splice_only_mac arp redacted
                      acl splice_only_mac arp redacted
                      
                      acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
                      acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"
                      
                      #acl markBumped annotate_client bumped=true
                      acl active_use annotate_client active=true
                      
                      acl bump_only src 192.168.1.3 #webtv
                      acl bump_only src 192.168.1.4 #toshiba
                      acl bump_only src 192.168.1.5 #imac
                      acl bump_only src 192.168.1.9 #macbook
                      acl bump_only src 192.168.1.13 #dell
                      
                      acl bump_only_mac arp redacted
                      acl bump_only_mac arp redacted
                      acl bump_only_mac arp redacted
                      acl bump_only_mac arp redacted
                      acl bump_only_mac arp redacted
                      
                      collapsed_forwarding on
                      negative_dns_ttl 5 minutes
                      shutdown_lifetime 1 seconds
                      
                      ssl_bump peek step1
                      miss_access deny no_miss active_use
                      ssl_bump splice https_login active_use
                      ssl_bump splice splice_only_mac splice_only active_use
                      ssl_bump splice NoBumpDNS active_use
                      ssl_bump splice NoSSLIntercept active_use
                      ssl_bump bump bump_only_mac bump_only active_use
                      acl activated note active_use true
                      ssl_bump terminate !activated
                      
                      #acl SSLIntercept ssl::server_name_regex -i "/usr/local/pkg/url.bump"
                      #ssl_bump bump SSLIntercept
                      

                      try this setting see if it helps?

                      tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET,SINGLE_DH_USE,SINGLE_ECDH_USE
                      

                      Make sure to upvote

                      W 1 Reply Last reply Reply Quote 1
                      • W
                        wndrew @JonathanLee
                        last edited by

                        @JonathanLee it didn't help

                        tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET,SINGLE_DH_USE,SINGLE_ECDH_USE
                        

                        What version of squid you are using?
                        Mine is

                        Squid Cache: Version 6.3
                        Service Name: squid
                        
                        JonathanLeeJ 1 Reply Last reply Reply Quote 0
                        • JonathanLeeJ
                          JonathanLee @wndrew
                          last edited by

                          @wndrew Squid 6.6 and Squid 5.8

                          Make sure to upvote

                          1 Reply Last reply Reply Quote 0
                          • JonathanLeeJ
                            JonathanLee
                            last edited by

                            Wait…. Have you blocked DoH ?? And HTTP3 DoH over QUIC ? Your systems have to use pfSense as the DNS

                            Make sure to upvote

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.