For me it works with "ssl_bump peek step1", not with "ssl_bump peek all". My working config using Squid 4.8: --- visible_hostname squid debug_options ALL,1 positive_dns_ttl 0 negative_dns_ttl 0 client_persistent_connections off http_port 3128 http_port 3129 intercept acl allowed_http_sites dstdom_regex "/etc/squid/allow_list.conf" http_access allow allowed_http_sites https_port 3130 intercept ssl-bump \ tls-cert=/etc/squid/ssl/squid-ca-cert-key.pem \ options=SINGLE_DH_USE,SINGLE_ECDH_USE,NO_SSLv2,NO_SSLv3 \ tls-dh=/etc/squid/ssl/dhparam.pem acl SSL_port port 443 http_access allow SSL_port acl allowed_https_sites ssl::server_name_regex "/etc/squid/allow_list.conf" tls_outgoing_options cafile=/etc/ssl/certs/ca-certificates.crt acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump splice allowed_https_sites ssl_bump terminate all http_access deny all logformat general %tl %6tr %>a %Ss/%03>Hs %<st %rm %ssl::bump_mode %ru %ssl::>sni access_log daemon:/var/log/squid/access.log general --- One thing to note are the "positive_dns_ttl 0" and "negative_dns_ttl 0" directives ; my findings are that DNS caching needs to be set to zero in cases where DNS records get changed every minute due to roundrobin combined with hosting in environments where record changes faster than TTL - on AWS where you're hitting different DNS servers with each having a different TTL. I was getting a lot of host forgery errors before setting those to 0. This is in addition to all the servers using the same DNS address. -- Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
