Enable TLS caching with squid using the https_port directive

Question

I am trying to enable caching of content for both HTTP and HTTPS connections with Squid Cache. I have version 6.5 running on Ubuntu 24.04 from the squid-openssl package. I confirmed the binary uses OpenSSL and is compiled with the configure options: --with-openssl and --enable-ssl-crtd

I have the following config lines in my setup:

https_port 3129 tls-cert=/etc/squid/squid-ca-cert.pem tls-key=/etc/squid/squid-ca-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /lib/squid/security_file_certgen -c -s /usr/local/squid/var/cache/squid/ssl_db -M 4MB

When I then run curl --proxy-insecure --proxy https://localhost:3129 it works, but in the logs I see what looks like the content is not cached:

1711580401.645    162 192.168.65.1 TCP_TUNNEL/200 41698 CONNECT assets-global.website-files.com:443 - HIER_DIRECT/54.230.18.101 -
1711580403.972     92 192.168.65.1 TCP_TUNNEL/200 41699 CONNECT assets-global.website-files.com:443 - HIER_DIRECT/54.230.18.101 -
1711580404.771    103 192.168.65.1 TCP_TUNNEL/200 41700 CONNECT assets-global.website-files.com:443 - HIER_DIRECT/54.230.18.101 -

When I add the ssl-bump directive as:

https_port 3129 ssl-bump tls-cert=/etc/squid/squid-ca-cert.pem tls-key=/etc/squid/squid-ca-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

I get the following error:

FATAL: Bungled /etc/squid/squid.conf line 42: https_port 3129 ssl-bump tls-cert=/etc/squid/squid-ca-cert.pem tls-key=/etc/squid/squid-ca-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

How do I configure https_port on 3129 with TLS so it actually caches requests?

Answer 1

I have just gone through weeks of struggling with this. There are years of documentation that is now conflicting, or handled automatically, its hard to work out what you need.

I am running squid version 6.8 on Alpine compiled with all the SSL goodness we need. My scenario is to have a parent proxy to always use

Configuration as a reverse proxy (accel mode):

    cache_peer squidparent.example.com parent 443 0 no-query default ssl name=myAccel no-digest tls-cert=/etc/squid/certs/tls.crt tls-key=/etc/squid/certs/tls.key
    cache_peer_access myAccel allow localnet
    cache_peer_access myAccel deny all

    http_port 3128 accel defaultsite=squidparent.example.com no-vhost 
    https_port 3129 accel defaultsite=squidparent.example.com generate-host-certificates=on tls-cert=/etc/squid/certs/tls.crt tls-key=/etc/squid/certs/tls.key no-vhost
    sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/cache/squid/ssl_db -M 20MB

    sslproxy_cert_error allow all

    cache_peer_access myAccel allow localnet
    cache_peer_access myAccel deny all

Make sure your TLS certificate Subject is the name by which you address the squid proxy