[squid-users] Cannot configure squid 4.6 to splice without bumping

John Lowry jlowry at gmail.com
Tue Nov 5 06:26:11 UTC 2019


I've been banging my head on this one for a while. I am setting up parental
controls on my network using squidguard. I have a raspberry pi running
squid 4.6 and the router has a policy that sends all web traffic from my
children's computers to squid.

Everything works correctly for HTTP connections but I cannot get HTTPS to
stop bumping. I want to splice all HTTPS connections in order to filter
with squidguard but I do not want to ever bump (because it causes browser
errors in chrome for a lot of sites).

I've tried many, many different settings and I always get traffic bumped.
Here is an example:

http_port 3128 intercept

https_port 3129 intercept tls-cert=/etc/squid/ssl_cert/myCA.pem
tls-key=/etc/squid/ssl_cert/myCA.pem

...

ssl_bump peek step1

ssl_bump peek step2

ssl_bump splice step2

I've tried setting debug_options to 9 but cannot see anything useful in the
logs to indicate why it is not splicing. I always just see the full set of
request headers in the logs for HTTPS connections, indicating that the
connection is bumped.

One thing I did notice is that the ssl logformat options do not work. I get
errors like this on restart:

FATAL: Can't parse configuration token: '%ssl::>sni'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20191104/64e4bea9/attachment-0001.html>


More information about the squid-users mailing list