Squid Caching SSL

tnovy

Hey Friends,

I have been using pfsense and squid+ squid guard for nearly a month now.  In love with the performance and what it can do.

One thing I cannot figure out is how to cache, scan https content.  I am quite new in this game.

Do you have any links to good tutorials on how to accomplish this?

Thank you in advance.

kklouzal

You need to stop using it as a transparent proxy and either manually configure your clients to use the proxy or use something like WPAD in junction with a PAC file
https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

KOM

To intercept HTTPS, you will need to install a trusted certificate on every client that will use the proxy.  This is doable in a controlled environment, but impractical on large numbers of clients or random clients.

kklouzal

@KOM:

To intercept HTTPS, you will need to install a trusted certificate on every client that will use the proxy.

I was under the impression a PAC+WPAD setup and deselecting the 'transparent proxy' option was all that is needed?

I did this and can now see the HTTPS requests appear in the 'Realtime' tab. Not sure if it's caching anything though..

Please correct me if I'm wrong, been running it like this for over 2 years :P

KOM

Not quite.  That config will allow you to get the domain but not the full URL or content.  You can use explicit with WPAD to get the domain, or transparent with Splice All.  Full URL or contents requires cert on every client, which is a major hassle.