Hi, I have been attempting to configure SSL bumping with Squid v3.3.8. I have a well configured Squid proxy for HTTP and HTTP Intercept proxying. I am now trying to expand the configuration to bump SSL connections. I believe I have the basics of the configuration correct for both direct HTTPS proxying as well as intercepted HTTPS, but am having a few issues that I would appreciate some input on. Specifically: a. HTTPS Page Rendering: Some HTTPS pages load fine. However, I have found that if I try to login to online banking or other secure pages that either (1) the page does not render properly (I get flat, unorganized text) or (2) the page simply does not load. With respect to the latter, some pages simply bring me right back to the login page; there seems to be some kind of behind-the-scenes redirection that is being rejected and preventing logging in. What recommendations might anyone have to tweak my configuration to address these issues? b. HTTP Strict Transport Security (HSTS): Some pages flat-out reject any SSL bumping due to HSTS. I am using Chrome, which I'm sure aggravates the issue. Is there a way to configure Squid to get around HSTS? (Yes, I know this may be a dumb question given how HSTS works, but would appreciate any insight.) Fundamentally, my intent is to set up Squid for home use to block advertising, malware, and in particular, perform content adaptation. One of my specific goals is to modify search URL paths to restrict explicit search returns (e.g. affixing "&safe=active" to any Google search path). I have additionally configured ICAP with SquidClamav, multiple ACLs for blocking of ads and malware, and SquidGuard for additional domain and url blocking. SquidGuard is also successfully manipulating *unencrypted* Google, Yahoo, and Bing URL paths to insert commands to suppress explicit search returns. (I should note that when I tested out SSL bumping, I disabled ICAP, Squidguard, and ACLs for blocking of ads and malware; the issues described above persisted.) Below is my squid.conf file to help out. Thanks in advance, Dave #########BEGIN FILE############# hosts_file /etc/hosts visible_hostname proxyserver shutdown_lifetime 5 seconds coredump_dir /tmp dns_nameservers 192.168.1.1 208.67.222.222 208.67.220.220 half_closed_clients off negative_ttl 0 negative_dns_ttl 2 minutes http_port 127.0.0.1:3128 http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/certs/cert.crt key=/etc/squid3/certs/cert.key http_port 192.168.1.1:3129 intercept https_port 192.168.1.1:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/certs/cert.crt key=/etc/squid3/certs/cert.key sslcrtd_program /usr/lib/squid3/ssl_crtd -s /disk/dyn-certs/sslcrtd_db -M 4MB sslcrtd_children 5 udp_incoming_address 192.168.1.1 pinger_enable off forwarded_for delete via off memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA maximum_object_size_in_memory 1 MB minimum_object_size 0 KB maximum_object_size 64 MB memory_pools off cache_mem 256 MB cache_dir aufs /disk/squid-cache 25000 32 512 cache_swap_low 95 cache_swap_high 97 ipcache_size 10240 fqdncache_size 2048 quick_abort_min 0 KB quick_abort_max 0 KB max_filedescriptors 4096 read_ahead_gap 512 KB client_lifetime 6 hours connect_timeout 10 seconds log_icp_queries off buffered_logs on debug_options ALL,1 logformat squid %tg %6tr %>A %Ss/%03>Hs UA=%{User-Agent}>h XFF=%{X-Forwarded-For}>h CKE=- %rm %ru %un %Sh/%<A %mt BYTES=%<st access_log stdio:/var/log/squid/access.log squid cache_log /var/log/squid/cache.log cache_store_log none #/var/log/squid/store.log icap_enable on icap_send_client_ip on icap_send_client_username on icap_client_username_encode off icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 icap_service sqclamav_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access sqclamav_req allow all icap_service sqclamav_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav adaptation_access sqclamav_resp allow all refresh_pattern -i \.(gif|png|jpg|jpeg|ico|bmp)$ 10080 90% 43200 override-expire ignore-no-store ignore-private refresh_pattern -i \.(iso|avi|wav|mp3|m3u|mp4|mpeg|swf|flv|x-flv)$ 43200 90% 259200 override-expire ignore-no-store ignore-no-cache ignore-private refresh_pattern -i \.(deb|rpm|exe|zip|tar|tgz|ram|rar|bin|ppt|pptx|doc|docx|xls|xlsx|tiff)$ 10080 90% 43200 override-expire ignore-no-store ignore-private refresh_pattern -i \.index.(html|htm)$ 0 40% 10080 refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320 refresh_pattern -i exe$ 0 50% 259200 refresh_pattern -i zip$ 0 50% 259200 refresh_pattern -i tar\.gz$ 0 50% 259200 refresh_pattern -i tgz$ 0 50% 259200 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (\.cgi$|/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl SSL_ports port 443 21 563 445 1494 2598 5006 acl Safe_ports port 21 80 443 563 70 210 280 488 591 777 1025-65535 acl purge method PURGE acl CONNECT method CONNECT acl FTP proto FTP acl lan src 192.168.1.0/24 acl vpn src 192.168.12.0/24 acl to_lan dst 192.168.1.0/24 acl to_vpn dst 192.168.12.0/24 acl malware_stinks dstdomain "/disk/squidguard/blacklist_acls/suspiciousdomains_Medium.txt" acl ad_regex url_regex -i "/disk/squidguard/blacklist_acls/ad_block_easylist.txt" acl privacy_regex url_regex -i "/disk/squidguard/blacklist_acls/privacy_easylist.txt" deny_info http://www.lan/malware.html malware_stinks deny_info http://www.lan/adregex.html ad_regex deny_info http://www.lan/privacy.html privacy_regex http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny malware_stinks http_access deny ad_regex http_access deny privacy_regex http_access allow localhost manager http_access deny manager http_access allow localhost purge http_access deny purge http_access allow FTP localhost http_access allow FTP lan http_access allow FTP vpn http_access allow lan http_access allow to_lan http_access allow vpn http_access allow localhost http_access deny all http_reply_access allow all icp_access allow lan icp_access allow vpn icp_access deny all snmp_access allow lan snmp_access allow vpn snmp_access deny all htcp_access allow lan htcp_access allow vpn htcp_access deny all always_direct allow lan always_direct allow vpn ssl_bump none localhost ssl_bump server-first lan ssl_bump server-first vpn sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER request_header_replace Accept */* request_header_replace Accept-Encoding gzip request_header_replace Accept-Language en request_header_replace From request_header_replace Referer request_header_replace Cookie request_header_replace Cookie2 request_header_add DNT 1 request_header_access Allow allow all request_header_access Authorization allow all # corresponds to above replace acl request_header_access From deny !to_lan # corresponds to above replace acl request_header_access Referer deny !to_lan request_header_access WWW-Authenticate allow all request_header_access Proxy-Authorization allow all request_header_access Proxy-Authenticate allow all request_header_access Content-Encoding allow all request_header_access Content-Length allow all request_header_access Content-Type allow all request_header_access Date allow all request_header_access Expires allow all request_header_access Host allow all request_header_access If-Modified-Since allow all request_header_access Last-Modified allow all request_header_access Location allow all request_header_access Pragma allow all # corresponds to above replace acl request_header_access Accept deny !to_lan request_header_access Accept-Charset deny !to_lan # corresponds to above replace acl request_header_access Accept-Encoding deny !to_lan # corresponds to above replace acl request_header_access Accept-Language deny !to_lan request_header_access Content-Language allow all request_header_access Mime-Version allow all request_header_access Retry-After allow all request_header_access Title allow all request_header_access Connection allow all request_header_access Proxy-Connection allow all request_header_access User-Agent allow all request_header_access Other allow all request_header_access Cookie allow all request_header_access Cookie2 allow all # Corresponds to DNT header add/replace above request_header_access DNT deny all request_header_access All deny !to_lan reply_header_access Allow allow all reply_header_access Authorization allow all reply_header_access Proxy-Authorization allow all reply_header_access Proxy-Authenticate allow all reply_header_access Content-Encoding allow all reply_header_access Content-Length allow all reply_header_access Content-Type allow all reply_header_access Date allow all reply_header_access Expires allow all reply_header_access Host allow all reply_header_access If-Modified-Since allow all reply_header_access Last-Modified allow all reply_header_access Location allow all reply_header_access Pragma allow all reply_header_access Accept allow all reply_header_access Accept-Charset allow all reply_header_access Accept-Encoding allow all reply_header_access Accept-Language allow all reply_header_access Content-Language allow all reply_header_access Mime-Version allow all reply_header_access Retry-After allow all reply_header_access Title allow all reply_header_access Connection allow all reply_header_access User-Agent allow all reply_header_access Other allow all reply_header_access Set-Cookie allow all reply_header_access Set-Cookie2 allow all reply_header_access Transfer-Encoding allow all reply_header_access Strict-Transport-Security allow all reply_header_access DNT allow all reply_header_access WWW-Authenticate deny !to_lan reply_header_access Server deny !to_lan reply_header_access Link deny !to_lan reply_header_access All deny !to_lan ## SquidGuard # This sets up 10 SquidGuard programs; 5 ready-to-go; 10 idled-and-prepped-to-go; # and threading for a total of 15 SquidGuard handlers available to tackle blocking # Note *do not* use the concurrency option; it crashes SquidGuard url_rewrite_program /usr/bin/squidGuard -c /etc/squid3/squidGuard.conf url_rewrite_children 15 startup=5 idle=10 url_rewrite_bypass off url_rewrite_access allow all ##########END FILE################