Installing a Squid Proxy with Transparent HTTPS Filtering / Linux / Ubuntu / Installing a Squid Proxy with Transparent HTTPS Filtering

In this article, we will look at how to install and configure a Squid proxy server with HTTPS filtering support on Linux (Ubuntu 20.04 in this example).

Most websites on the internet now work over HTTPS. The current version of the squid proxy server available in the Ubuntu repos doesn’t support SSL. Therefore, you cannot use this version of the squid proxy to filter HTTPS traffic. Next, we’ll look at how to build an HTTPS-enabled squid proxy server from the source and configure it for site filtering.

Building a Squid Proxy Server with HTTPS Support

To enable the use of sources in Ubuntu, you need to edit the file:

sudo nano /etc/apt/sources.list

Uncomment all lines starting with deb-src.

ubuntu allow deb-src

Update the list of packages and install the necessary programs:

sudo apt update
sudo apt install openssl devscripts build-essential dpkg-dev libssl-dev libsasl2-modules-gssapi-mit

Create a directory for squid sources:

mkdir /home/squid
cd /home/squid

Download the squid source files:

sudo apt build-dep squid –y
sudo chmod 777 squid_4.10-1ubuntu1.3.dsc
sudo apt source squid
cd squid-4.10/

Open the rules file. You need to specify in the list of enabled modules that you want to compile the squid with SSL support:
--enable-ssl \
--enable-ssl-crtd \

All lines except the last must end with a / (backslash).

compile squid proxy with ssl and https support

Build the package from the source files (takes a long time):

sudo dpkg-buildpackage -d
cd ..

Now you need to install the packages (will return an error):

sudo dpkg -i *.deb

If the previous command returns an error, you need to install the missing dependencies:

sudo apt install -f

Repeat installation:

sudo dpkg -i *.deb

Make sure squid is built with SSL support:

squid -v | grep ssl

Configuring Squid as a Transparent HTTPS Proxy

Make a copy of the squid configuration file:

sudo cp /etc/squid/squid.conf /etc/squid/

Clear the config file:

cp /dev/null /etc/squid/squid.conf

Edit your squid config file:

sudo nano /etc/squid/squid.conf

Add the following lines to the squid configuration:

access_log /var/log/squid/access.log squid
acl blacklist url_regex -i "/etc/squid/blacklist"
acl whitelist url_regex -i "/etc/squid/whitelist"
acl localnet src # RFC 1918 local private network (LAN1)
acl localnet src # RFC 1918 local private network (LAN2)
acl manager proto cache_object
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow whitelist
http_access deny blacklist
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localnet
http_access allow localhost
http_access deny all
# Port for HTTP traffic (if specified manually)
http_port 3128
# Transparent port for HTTP traffic
http_port 3129 intercept
# Port for HTTPS traffic (if you specify intercept, it will be transparent)
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/proxyCA.pem tls-key=/etc/squid/proxyCA.pem cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem
sslproxy_cert_error allow all
always_direct allow all
acl whitelist_ssl ssl::server_name_regex "/etc/squid/lists/whitelist"
acl blacklist_ssl ssl::server_name_regex "/etc/squid/lists/blacklist"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blacklist_ssl
ssl_bump terminate !whitelist_ssl
ssl_bump splice all
#ssl_bump server-first all
#ssl_bump none all
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
# example pattern for deb packages
#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
refresh_pattern . 0 20% 4320

Create files for the whitelist and blacklist of sites:

sudo touch /etc/squid/blacklist
sudo touch /etc/squid/whitelist

Be sure to include at least one site in each file in the following format:


Dots must be escaped with a backslash.

Now you need to create your own certificate with a key:

cd /etc/squid/
sudo openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem -out proxyCA.pem

Then create a certificate to install on users’ computers:

sudo openssl x509 -in proxyCA.pem -outform DER -out squid.der
The squid.der certificate file must be installed on users’ computers manually or via GPO.

Generate a parameter file:

sudo openssl dhparam -outform PEM -out /etc/squid/bump_dhparam.pem 2048

Set permissions:

sudo chown proxy:proxy /etc/squid/bump_dhparam.pem
sudo chmod 400 /etc/squid/bump_dhparam.pem
sudo chown proxy:proxy /etc/squid/proxyCA.pem
sudo chmod 400 /etc/squid/proxyCA.pem
sudo chown proxy:proxy -R /var/spool/squid
sudo chown proxy:proxy -R /var/log/squid/

Create a directory for the certificate base and initialize it:

sudo mkdir -p /var/lib/squid
sudo rm -rf /var/lib/squid/ssl_db
sudo /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB
sudo chown -R proxy:proxy /var/lib/squid

Enable the ip_forwarding kernel option:

sudo echo 1 >> /proc/sys/net/ipv4/ip_forward

Apply the configuration and restart squid:

sudo squid -k reconfigure
sudo systemctl restart squid

Configure forwarding of HTTP and HTTPS traffic to squid listening ports:

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130

This completes the Squid setup. You just need to install the certificate on users’ computers.

Leave a Reply

Your email address will not be published. Required fields are marked *