Just take into account that it will not filter any https/ssl sites this way. You will need to create an acl to allow only exceptions to be spliced. Try to look at the ufdbguard manual at: https://www.urlfilterdb.com/files/downloads/ReferenceManual.pdf at section: 3.3.2Squid Example Configuration, SSL-Bump peek+splice All The Bests, Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: mailto:ngtech1ltd@xxxxxxxxx Zoom: Coming soon From: jean francois hasson <jfhasson@xxxxxxxxxxxxxxxx> Sent: Monday, January 4, 2021 4:19 PM To: ngtech1ltd@xxxxxxxxx Cc: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Setting up a transparent http and https proxy server using squid 4.6 Hi, Doing the change below works. I can now access ebay.fr through the raspberry pi. Best regards, JF Le 04/01/2021 à 13:04, mailto:ngtech1ltd@xxxxxxxxx a écrit : Try as test to remove: ssl_bump terminate all Ie use only the next bump rules: ### START # TLS/SSL bumping definitions acl tls_s1_connect at_step SslBump1 acl tls_s2_client_hello at_step SslBump2 acl tls_s3_server_hello at_step SslBump3 ssl_bump peek tls_s1_connect ssl_bump splice all ### END The above is from an example at ufdbguard manual. Let me know if you are still having issues in full splice mode. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: mailto:ngtech1ltd@xxxxxxxxx Zoom: Coming soon From: jean francois hasson mailto:jfhasson@xxxxxxxxxxxxxxxx Sent: Monday, January 4, 2021 8:51 AM To: mailto:ngtech1ltd@xxxxxxxxx Cc: mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Setting up a transparent http and https proxy server using squid 4.6 Hi, Thank you for looking at my question. I dowloaded the squid 4.6 source code from http://ftp.debian.org/debian/pool/main/s/squid/ and selected squid_4.6.orig.tar.gz, squid_4.6-1+deb10u4.debian.tar.xz and squid_4.6-1+deb10u4.dsc. I modified the debian/rules file by adding to DEB_CONFIGURE_EXTRA_FLAGS the following --with-openssl, --enable-ssl and --enable-ssl-crtd. The squid -v output is : Squid Cache: Version 4.6 Service Name: squid Raspbian linux This binary uses OpenSSL 1.0.2q 20 Nov 2018. For legal restrictions on distribution see https://www.openssl.org/source/license.html configure options: '--build=arm-linux-gnueabihf' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid' '--srcdir=.' '--disable-maintainer-mode' '--disable-dependency-tracking' '--disable-silent-rules' 'BUILDCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'BUILDCXX=arm-linux-gnueabihf-g++' '--with-build-environment=default' '--enable-build-info=Raspbian linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline' '--disable-arch-native' '--enable-async-io=8' '--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client' '--enable-follow-x-forwarded-for' '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB' '--enable-auth-digest=file,LDAP' '--enable-auth-negotiate=kerberos,wrapper' '--enable-auth-ntlm=fake,SMB_LM' '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group' '--enable-security-cert-validators=fake' '--enable-storeid-rewrite-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi' '--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--disable-translation' '--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536' '--with-large-files' '--with-default-user=proxy' '--with-gnutls' '--with-openssl' '--enable-ssl' '--enable-ssl-crtd' '--enable-linux-netfilter' 'build_alias=arm-linux-gnueabihf' 'CC=arm-linux-gnueabihf-gcc' 'CFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security -Wall' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' 'CXX=arm-linux-gnueabihf-g++' 'CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=. -fstack-protector-strong -Wformat -Werror=format-security' When I run openssl version I get 1.1.1d. I hope it helps. Best regards, JF Le 03/01/2021 à 21:55, mailto:ngtech1ltd@xxxxxxxxx a écrit : Hey, I am missing a bit of the context, like: Did you self compiled squid? Is it from the OS repository? Squid -v might help a bit to understand what you do have enabled in your Squid. Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: mailto:ngtech1ltd@xxxxxxxxx Zoom: Coming soon From: squid-users mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx On Behalf Of jean francois hasson Sent: Thursday, December 31, 2020 11:10 AM To: mailto:squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Setting up a transparent http and https proxy server using squid 4.6 Hi, I am trying to create for my home network a transparent proxy to implement filtering rules based on website names mainly. I have been looking at using a Raspberry pi 3B+ running pi OS. I configured it to be a Wifi access point using RaspAP quick install. The Wifi network on which the filtering option is to be implemented is with IP 10.3.141.xxx. The router is at address 10.3.141.1. I have the following squid.conf file which I tried to create based on different mails, websites and blogs I read : acl SSL_ports port 443 #https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http #Le réseau local acl LocalNet src 10.3.141.0/24 acl bump_step1 at_step SslBump1 acl bump_step2 at_step SslBump2 acl bump_step3 at_step SslBump3 #Définition des autorisations http_access deny !Safe_ports #http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localhost http_access allow LocalNet http_access deny all #Définition des ports d'écoute http_port 8080 http_port 3128 intercept https_port 3129 intercept ssl-bump \ tls-cert=/etc/squid/cert/example.crt \ tls-key=/etc/squid/cert/example.key \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB sslcrtd_children 5 ssl_bump peek all acl tls_whitelist ssl::server_name .example.com ssl_bump splice tls_whitelist ssl_bump terminate all coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_dir ufs /cache 400 16 256 cache_access_log /var/log/squid/access.log cache_effective_user proxy If I set up on a device connected to the access point a proxy manually ie 10.3.141.1 on port 8080, I can access the internet. If I put the following rules for iptables to use in files rules.v4 : *nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.3.141.1:3128 -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.3.141.1:3129 -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129 -A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE COMMIT Now, if I remove the manual proxy configuration of the device connected to the access point, I can't connect to the internet. If I leave the manual proxy configuration it does work and there is activity logged in /var/log/squid/access.log. Please let me know what might be wrong in my configuration if possible. Best regards, JF _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users