Encrypted browser-Squid connection

  • Hi

    Do you know if the communication between Squid Proxy server and browser is encrypted?

    Can anyone to sniff the Proxy authentication passwords?


  • Thanks!, very useful. I have activated the option "https_port" in Squid configuration but I get this error:

    /pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'FATAL: No valid signing SSL certificate configured for HTTPS_port Squid Cache (Version 3.5.27): Terminated abnormally.

    How Can I configure a certificate? GUI show a option for select a certificate but is for "SSL Man In the Middle Filtering", I don't use that.

    My PFsense WebConfigurator have a Let's Encrypt certificate, I hope to use the same certificate.

  • I found the solution.

    First I downloaded and modified this script for export the Let's Encrypt certificate from config.xml file:

    set -eu
    BASE64_DECODE='/usr/local/bin/python2 -m base64 -d'
    extract_private_key() {
            local RAW XPATH
            XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/prv/text()"
            RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`"
            printf "%s\n" "`echo "$RAW" | $BASE64_DECODE`"
    extract_certificate() {
            local RAW XPATH
            XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/crt/text()"
            RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`"
            printf "%s\n" "`echo "$RAW" | $BASE64_DECODE`"
    combine_pem() {
            PRIVATE_KEY="`extract_private_key "$1"`"
            CERTIFICATE="`extract_certificate "$1"`"
            printf '%s\n%s\n' "$PRIVATE_KEY" "$CERTIFICATE"
    main() {
            if [ "$#" -ne 1 ]; then
                    printf "Not enough arguments.\nUsage:\n\t%s\n" \
                            "$0 certificate_name"
                    exit 1
            echo "Extracting cert+key form pfSense"
            combine_pem "$PFSENSE_CERT_NAME"
    main $@

    After, I added the script as Cron Job:

    30 	3 	* 	* 	* 	root 	/root/pemExtract pfsense.mycompany.com > /usr/local/etc/squid/cert.pem

    Finally, I added this params to Squid Advanced options:

    https_port cert=/usr/local/etc/squid/cert.pem

    Firefox y Chrome working perfect, but Internet Explorer is not compatible with secure Proxy. I modified my proxy wpad.dat file for to detect IE:

    function FindProxyForURL(url, host)
            var httpProxy = "PROXY pfsense.mycompany.com:3128";
            var httpsProxy = "HTTPS pfsense.mycompany.com:3129";
            // Internet Explorer 6-11
            var isIE = /*@cc_on!@*/false || !!document.documentMode;
            // Edge 20+
            var isEdge = !isIE && !!window.StyleMedia; 
            if (
    	    url.substring(0,7)  == "chrome:"
    	    ||  url.substring(0,6)  == "about:"
                ||  shExpMatch(host, "localhost")
                ||  isInNet(host, "",  "")
                ||  isInNet(host, "", "")
                ||  shExpMatch(host, "192.168.0.*")
                ||  shExpMatch(host, "127.*")
                ||  isPlainHostName(host)
            ) {
                return "DIRECT"; 
            if (
                url.substring(0, 5) == "http:"
            ||  url.substring(0, 6) == "https:"
            ||  url.substring(0, 4) == "ftp:"
            ) {
                if (isIE || isEdge){
                  return httpProxy;
                return httpsProxy;
             return httpsProxy;

    Now, the proxy is safe to use over Internet, but I opened only 3129 port in WAN. This mean IE only working in local network, but I don't care, almost nobody use that browser.

  • Netgate Administrator

    @evilside said in Encrypted browser-Squid connection:

    but I don't care, almost nobody use that browser.


Log in to reply