[squid-users] WCCP and SSL-Bump with Squid 3.5 — HTTPS traffic not reaching Squid

MAB IT System mab_itsystem at machaero.com
Tue Jul 22 12:48:09 UTC 2025 

Hello everyone,

I am currently deploying Squid 3.5.12 on Ubuntu Xenial for URL filtering
over multiple VLANs using WCCP.

*Context:*

   -

   HTTP traffic is successfully redirected from my Cisco router to Squid
   via WCCP (Service 0).
   -

   HTTPS traffic is redirected via WCCP (Service 70), GRE tunnel works,
   redirection appears fine on the router side.
   -

   On my Squid box, iptables properly redirects:
   -

      TCP 80 → 3127 (intercept)
      -

      TCP 443 → 3128 (ssl-bump)
      -

   My Squid config listens properly on 3127 and 3128 with ssl-bump.

*Problem:*

   -

   HTTP filtering works perfectly via WCCP.
   -

   HTTPS connections show *no traffic hitting Squid's 3128 port* (confirmed
   via access.log and ss -tulnp).
   -

   Yet WCCP router counters show packets being redirected for HTTPS.
   -

   If I manually configure the proxy on a browser, both HTTP and HTTPS are
   filtered correctly.
   -

   If I disable ssl-bump and WCCP for HTTPS, normal navigation resumes.

*iptables NAT rules:*

REDIRECT tcp -- gre1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 3127
REDIRECT tcp -- gre1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 3128

Squid config (extract):

  http_port 3127 intercept
http_port 3128 ssl-bump cert=/etc/squid/ssl_sert/myCA.pem
key=/etc/squid/ssl_sert/ca-key.pem generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

*Questions:*

   1.

   Why does HTTPS via WCCP not reach Squid 3128 (ssl-bump) while HTTP works
   fine?
   2.

   Is my WCCP setup wrong for HTTPS? I use service ID 70 with destination
   port 443.
   3.

   Could the lack of DNS resolution or browser certificate trust cause the
   traffic not to appear at all in Squid logs?
   4.

   Am I missing something obvious between the router WCCP and Squid’s
   ssl-bump setup?

Thank you in advance for any suggestions or troubleshooting steps.

Best regards,

Assoham

-- 
******************************************************************************
The information contained herein may be company confidential and 
proprietary. The information is intended only for the use of the named 
individual or entity. If you are not the intended recipient, the employee 
or agent responsible for delivering it to the intended recipient, you are 
hereby notified that any use, dissemination, distribution or copying of 
this communication is strictly prohibited. If you have received this 
communication in error, please notify the sender (and delete it from your 
systems) immediately. The information herein is not warranted to be free of 
virus or any other defect that may affect the recipient's computer system 
and it is your responsibility to carry out appropriate virus checks of this 
email and attachments (if any).
******************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250722/c1bc018e/attachment.htm>

More information about the squid-users mailing list