Hi I am writing an icap application to do https intercept for a local application. I have used Squid 3.4.2 setup ssl_bump as follows: ========================================================================== http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid3/ssl_cert/myCA.pem always_direct allow all ssl_bump server-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable off # icap_preview_size 1024 icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1345/outbound adaptation_access service_req allow all icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1345/inbound adaptation_access service_resp allow all =========================================================================== It's all working and I can see the un-encrypted boby of pages such as https://news.google.com in the icap application. However, some of the news story thumbnails are failing to load as they are being loaded off another https server eg. https://lh3.googleusercontent.com/-TrtEHOgcMFE/AAAAAAAAAAI/AAAAAAAAAAA/K547x _dy1bY/s32/photo.jpg other urls load ok coming off various servers eg. https://t2.gstatic.com/images?q=tbn:ANd9GcQEUL_w18SM0m00j_JjU0KhoxaQ0MmrovPP V8-w_RclRK6RslWtD6ZUOmTfkOVu6dTnjbAUbeQ I am guessing that squid would have to manage a large list of server certs just to load this page and there is some limit I need to set higher? Not sure. Don't worry about the https intercept, I am just trying to add phrase filtering to a proxy so I can lock down the kids PC at home better, this is nothing nasty.
