How to configure squid in transparent mode and avoid HTST errors in browser?



  • I am trying to use squid to accelerate downloads from common locations like package/container repositories. My originial attempt was to use it in non-transparent mode with custom ca (installed on clients too) and apparently worked ok.

    Still, after a while I faced a new issue: when defining http(s)_proxy variables all traffic sent to the proxy including local subnet. Implementation of no_proxy variable seems to be extreamly poor, so poor that even current versions of curl are not able to load a subnet from it (and lot of other clients with their own set of configurations and bug: docker, wget, pip, easy_install,...).

    So my next attempt was to try to use squid in transparent mode where I can easily control which clients or servers will go trough the proxy and which not.

    That was the moment when I realised that that using squid in transparent mode does not play well with HTST enabled websites (permanently growing number), examples like google.com and duckduckgo.com.

    As soon I enabled the transparent proxy I got prompted by Firefox about the fact that the certificate common name did not match the address. I do mention that when using squid in non transparent mode, this was ok.

    Considering that I already have the custom-CA installed in the client, I see no reason why I shoudn't be able make it work.

    I suspect something in quid config is making it generate certificates that are somehow in conflict with previous known certificates of these sites.

    Is there a way to avoid this while still being able to perform MITM-acceleration?

    Did I miss something in my squid.conf? (edited only via GUI).