[squid-users] a decent way to speed up Facebook?

Amos Jeffries squid3 at treenet.co.nz
Wed Sep 5 04:45:05 UTC 2018

On 5/09/18 4:44 AM, turgut kalfaoğlu wrote:
> Hello there. I have a transparent squid at my home to speed up the
> browsing by caching stuff.  And it works well for HTTP.
> For HTTPS, I was only able to get it to "peek" and I'd like to able to
> bump the connections.
> I installed the server certificate on the client, but still, the browser
> (firefox) keeps complaining:
> Your connection is not secure
> The owner of www.facebook.com has configured their website improperly.
> To protect your information from being stolen, Firefox has not connected
> to this website.
> This site uses HTTP Strict Transport Security (HSTS) to specify that
> Firefox may only connect to it securely. As a result, it is not possible
> to add an exception for this certificate.

Squid removes HSTS from any network traffic it handles (except splice'd
traffic). So clearing the browser info and ensuring that the other
non-HTTP protocols Browser like to use these days (eg QUIC, SPDY,
WebSockets, HTTP/2) are not happening should resolve this issue.

If you do not (or cannot) clear the browser info the HSTS should only
last until the TTL it last mentioned in traffic expires - but that can
be a very long timeout.

> Here is what I have:
> #
> # serverIsBank is a list of domains that are banks essentially. They
> seem more picky.
> #
> ssl_bump splice serverIsBank
> ssl_bump peek all
> # ssl_bump bump all    # this does not work, it gives the error above..


 # splice as soon as detected
 ssl_bump splice serverIsBank

 # step 1 - peek to get TLS SNI
 acl step1 at_step SslBump1
 ssl_bump peek step1

 # step 2 - stare to get server cert details for bump
 ssl_bump stare all

 # step 3 - terminate if splice failed, bump everything else
 ssl_bump terminate serverIsBank
 ssl_bump bump all

> https_port 3129 intercept ssl-bump \
>         generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
>         cert=/etc/squid/ssl_cert/tk2ca.pem
> key=/etc/squid/ssl_cert/tk2ca.pem \

When cert= and key= are in the same file you do not need to specify key=.

>        sslflags=NO_SESSION_REUSE
> tls_outgoing_options cafile=/etc/pki/tls/certs/ca-bundle.crt

That ca-bundle.crt is the global trusted CA right?

If yes, you do not need to manually configure it. The system default CA
/ global Trusted CA are used by default on MITM outgoing connections.

> sslproxy_cert_adapt setCommonName ssl::certDomainMismatch
> sslproxy_cert_error allow all

Remove the above line. It prevents you being told about important problems.

Instead investigate errors that come up, and either fix or ignore on an
individual basis. Some errors are simple and easily avoided, others
depend on your policy about whether the client should be allowed to do
the operation.


More information about the squid-users mailing list