[squid-users] seeking assistance for home users wanting to cache https contents

Amos Jeffries squid3 at treenet.co.nz
Mon Aug 31 11:04:03 UTC 2020 

On 31/08/20 7:51 am, Michael Davis wrote:
> okay, so I'm working on making a public github repository for others
> like me out there that are having such a hard time with this, given the
> state of the web being almost completely run via SSL websites, who want
> to use squid for bandwidth easing in these times of everyone being stuck
> in home isolation, but given that this literally constitutes making what
> is by design a man in the middle attack, I am finding it more difficult
> than learning to do brain surgery (I am not a surgeon).

FYI, a github repository is not always the right answer. Everyones needs
are slightly different, so what we have in the Squid Project is a wiki
of examples with enough explanation that people should be able to make
the small changes necessary for their needs.

 <https://wiki.squid-cache.org/ConfigExamples/>

I have updated
<https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA>
to clarify the squid.conf port lines you need.

<https://wiki.squid-cache.org/Features/SslPeekAndSplice> documents the
ssl_bump access controls.


> 
> my goal is to set up squid so that it can properly decrypt SSL traffic
> for my own local devices, I own everything on this network, so this is
> not an ethical problem for me given I am the sole user of everything on
> my own network, and I want to PROPERLY be able to cache contents that
> are otherwise delivered by SSL (nvidia graphics driver updates,

FYI, "proper" caching has nothing to do with SSL-Bump.

Separate any changes you want in relation to caching from the SSL-Bump
changes. Test each set of changes independently to get one feature going
before you move on to the other.


> 
> I have done extensive research, and even after having another member of

Unfortunately TLS is one topic where things have been very volatile. So
the more research you do may expose you to outdated and/or irrelevant
details that just add confusion.

If you have two confusing sources of information (including archived
mailing list replies) go with the official wiki page as authoritative.
Or ask here, that is what this mailing list is for.


> the pfsense community join my attempts at this, we both are at a loss on

FYI, pfsense should not be relevant to SSL-Bump. Like caching the two
features can be used, but are not directly related to each other. So
setup, test and get each working separately.


> how to correctly set up peek and splice to do the job were after here,
> that being decrypting SSL traffic for local lans (yes we both know the
> implications, but they are in both of our cases our own property and
> networks and we are both the only people using them individually
> respectively) and yes we both have also installed our local certificate
> authority certificates on our devices to let it work properly, we just
> don't seem to understand enough on how peek and splice is supposed to
> work, to implement it properly, and thus, the guy I'm working with on
> this suggested we reach out to this mailing list and ask those here that
> understand it more than we do.
> 

So what I am understanding from your description is that you are trying to:
 A) intercept traffic with pfsense
 B) SSL-Bump the TLS which arrives at the proxy
 C) cache the decrypted HTTP messages

Is that correct?


The pfsense portion I cannot help much with right now, it has been too
long since I worked with that software.

All I can say is:

 1) the config examples we have in the wiki for setting up the
interception part should work fine, and

 2) test it *without* worrying about SSL-Bump or caching. Make sure it
works before going on to the other features, and

 3) "working" for the port 443 intercept (no bumping) can take the form
of HTTP error messages from Squid or client rejecting TLS handshake
details from Squid. Both of these mean the traffic is reaching Squid and
client getting whatever Squid produces.


For SSL-Bump when (after pfsense intercept is working) you want to
follow
<https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA>
to get a successful TLS handshake happening.

You can use these bare-bones ssl_bump settings to pass the traffic
through Squid without decrypt to start with:

  acl step1 at_step SslBump1
  ssl_bump peek step1
  ssl_bump splice all


Amos

More information about the squid-users mailing list