Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to configure squid in transparent mode and avoid HTST errors in browser?

    Scheduled Pinned Locked Moved Cache/Proxy
    1 Posts 1 Posters 404 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ssbarneaS
      ssbarnea
      last edited by

      I am trying to use squid to accelerate downloads from common locations like package/container repositories. My originial attempt was to use it in non-transparent mode with custom ca (installed on clients too) and apparently worked ok.

      Still, after a while I faced a new issue: when defining http(s)_proxy variables all traffic sent to the proxy including local subnet. Implementation of no_proxy variable seems to be extreamly poor, so poor that even current versions of curl are not able to load a subnet from it (and lot of other clients with their own set of configurations and bug: docker, wget, pip, easy_install,...).

      So my next attempt was to try to use squid in transparent mode where I can easily control which clients or servers will go trough the proxy and which not.

      That was the moment when I realised that that using squid in transparent mode does not play well with HTST enabled websites (permanently growing number), examples like google.com and duckduckgo.com.

      As soon I enabled the transparent proxy I got prompted by Firefox about the fact that the certificate common name did not match the address. I do mention that when using squid in non transparent mode, this was ok.

      Considering that I already have the custom-CA installed in the client, I see no reason why I shoudn't be able make it work.

      I suspect something in quid config is making it generate certificates that are somehow in conflict with previous known certificates of these sites.

      Is there a way to avoid this while still being able to perform MITM-acceleration?

      Did I miss something in my squid.conf? (edited only via GUI).

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.