Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid Caching SSL

    Scheduled Pinned Locked Moved Cache/Proxy
    5 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tnovy
      last edited by

      Hey Friends,

      I have been using pfsense and squid+ squid guard for nearly a month now.  In love with the performance and what it can do.

      One thing I cannot figure out is how to cache, scan https content.  I am quite new in this game.

      Do you have any links to good tutorials on how to accomplish this?

      Thank you in advance.

      1 Reply Last reply Reply Quote 0
      • kklouzalK
        kklouzal
        last edited by

        You need to stop using it as a transparent proxy and either manually configure your clients to use the proxy or use something like WPAD in junction with a PAC file
        https://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          To intercept HTTPS, you will need to install a trusted certificate on every client that will use the proxy.  This is doable in a controlled environment, but impractical on large numbers of clients or random clients.

          1 Reply Last reply Reply Quote 0
          • kklouzalK
            kklouzal
            last edited by

            @KOM:

            To intercept HTTPS, you will need to install a trusted certificate on every client that will use the proxy.

            I was under the impression a PAC+WPAD setup and deselecting the 'transparent proxy' option was all that is needed?

            I did this and can now see the HTTPS requests appear in the 'Realtime' tab. Not sure if it's caching anything though..

            Please correct me if I'm wrong, been running it like this for over 2 years :P

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              Not quite.  That config will allow you to get the domain but not the full URL or content.  You can use explicit with WPAD to get the domain, or transparent with Splice All.  Full URL or contents requires cert on every client, which is a major hassle.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.