Cannot configure squid 4.6 to splice without bumping
I've been banging my head on this one for a while. I am setting up parental controls on my network using squidguard. I have a raspberry pi running squid 4.6 and the router has a policy that sends all web traffic from my children's computers to squid.
Everything works correctly for HTTP connections but I cannot get HTTPS to stop bumping. I want to splice all HTTPS connections in order to filter with squidguard but I do not want to ever bump (because it causes browser errors in chrome for a lot of sites).
I've tried many, many different settings and I always get traffic bumped. Here is an example:
I've tried setting debug_options to 9 but cannot see anything useful in the logs to indicate why it is not splicing. I always just see the full set of request headers in the logs for HTTPS connections, indicating that the connection is bumped.
One thing I did notice is that the ssl logformat options do not work. I get errors like this on restart:
These rules are poorly written (the last one will never match), but they
are unused because the port directives do not enable SslBump.
If an SSL connection is bumped (or even peeked at!) with the above
configuration, then there is a Squid bug somewhere. However, I do not
think your TLS connections are actually bumped. Please see below.
> I've tried setting debug_options to 9 but cannot see anything useful in
> the logs to indicate why it is not splicing. I always just see the full
> set of request headers in the logs for HTTPS connections, indicating
> that the connection is bumped.
I suspect your Squid is acting as an intercepting HTTPS proxy: It
terminates all intercepted SSL connections as if they were directed at
the Squid instance itself. The end result will look similar to bumping
from "I can see the headers" point of view.
You may be able to tell the difference by looking at certificate
details: With an HTTPS proxy, all connections will have the same leaf
myCA.pem certificate as opposed to mimicked origin server certificate
signed by myCA.pem. There may be other, more obvious signs like the
details of the "Accepting..." lines that Squid reports at startup.
> One thing I did notice is that the ssl logformat options do not work. I
> get errors like this on restart: