What would you be happy with them doing Be considerate of others.
Contents.
TLS is a security protocol explicitly intended to make secure communication possible and prevent undetected third-party (such as Squid) interception of the traffic.
Even incorrectly used TLS usually makes it possible for at least one end of the communication channel to detect the proxies existence.
Squid SSL-Bump is intentionally implemented in a way that allows that detection without breaking the TLS.
Your clients will be capable of identifying the proxy exists.
If you are looking for a way to do it in complete secrecy, dont use Squid.
The client devices also need to be configured to trust the CA certificate when validating the Squid generated certificates.
For all practical purposes, this certificate becomes a Root certificate and you become a Root CA.
If your certificate is compromised, any user trusting (knowingly or otherwise) your Root certificate may not be able to detect man-in-the-middle attacks orchestrated by others.
Create directory to store the certificate (the exact location is not important): cd etcsquid.
Unfortunately, it is apparently a common practice among well-known Root CAs to issue subordinate root certificates.
If you have obtained such a subordinate root certificate from a Root CA already trusted by your users, you do not need to import your certificate into browsers.
However, going down this path may result in removal of the well-known Root CA certificate from browsers around the world.
Torque pid csvSuch a removal will make your local SslBump-based infrastructure inoperable until you import your certificate, but that may only be the beginning of your troubles.
Will the affected Root CA go after you to recoup their world-wide damages What will your users do when they learn that you have been decrypting their traffic without their consent.
This is done by Squid-3.5 and older: sslproxycafile usrlocalopensslcabundle.file Squid-4 and newer: tlsoutgoingoptions cafileusrlocalopensslcabundle.file Note: OpenSSL CAs bundle is derived from Mozillas bundle and is NOT COMPLETE.
Specifically most intermediate certificates are not included (see below).
Also beware, when you use OpenSSL, you need to make crehash utility before Squid can use the added certificates.
![squid block upload file whitelist squid block upload file whitelist](/uploads/1/3/4/8/134816677/854345271_orig.png)
For Squid-3.5 the sslproxyforeignintermediatecerts directive can be used to load intermediate CA certificates from a file: sslproxyforeignintermediatecerts etcsquidextra-intermediate-CA.pem Older versions of Squid cannot handle intermediate CA certificates very well.
![squid block upload file whitelist squid block upload file whitelist](/uploads/1/3/4/8/134816677/600679951_orig.jpg)
The squid low-privilege account needs permission to both read and write there.
Squid-3.5: usrlocalsquidlibexecsslcrtd -c -s varlibssldb -M 4MB.