Skip to main content
Unix & Linux

Return to Revisions

5 of 5
minor edit to ensure paths are correct
Jeremy Davis
Jeremy Davis
  • 927
  • 11
  • 21

This isn't a direct answer to your question as I'm just using squid as a local caching proxy. Regardless, I've posted here as your question was the closest to what I needed and now I've worked it out, I wanted to share.

In Debian 11/Bullseye the package that you want to install is squid-openssl (Squid v4.x compiled --with-openssl).

apt install -y squid-openssl

Then set up the (self-signed) trusted CA cert:

CERT_D=/etc/squid/cert
CERT=$CERT_D/squid_proxyCA.pem
rm -rf $CERT
mkdir -p $CERT_D
# Generate local self-signed CA certificate/key (in the same file)
openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout $CERT -out $CERT
chown -R proxy:proxy $CERT_D
chmod 0400 $CERT

# add squid_proxyCA cert to system so it's trusted by default
CA_CERT_D=/usr/local/share/ca-certificates
rm -rf $CA_CERT_D/*
mkdir -p $CA_CERT_D
openssl x509 -inform PEM -in $CERT -out $CA_CERT_D/squid_proxyCA.crt
update-ca-certificates

Configure squid to generate certs on the fly:

/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
chown -R proxy:proxy /var/spool/squid

Then this is my /etc/squid/squid.conf (note it's pretty minimalist and only accepts connections from localhost and only listens on IPv4):

acl SSL_ports port 443

acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 1025-65535  # unregistered ports

acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access allow purge localhost
http_access deny purge

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access deny all

http_port 127.0.0.1:3128 ssl-bump cert=/etc/squid/cert/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE
ssl_bump bump all

coredump_dir /var/spool/squid
logfile_rotate 0

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

cache_dir ufs /var/spool/squid 200 16 256

Finally, restart squid:

systemctl reload squid

One other thing worth mentioning is that the proxy URL of http://127.0.0.1:3028 should be used for both the http_proxy, and the https_proxy (note the http - no s; even when used as an https proxy). If/when used with https, Squid will upgrade the connection to use TLS/SSL.

Jeremy Davis
  • 927
  • 11
  • 21