Last updated: 2026-02-11

Squid TLS/SSL Configuration Guide

This guide provides recommended TLS/SSL settings for the Squid caching proxy. Squid can terminate HTTPS connections on the front end, encrypt connections to backend origin servers, and optionally intercept HTTPS traffic via SSL bumping.

Prerequisites

• Squid 5.0 or later (compiled with --with-openssl)
• OpenSSL 1.1.1 or later
• A valid TLS certificate and private key

Verify Squid was built with TLS support:

squid -v 2>&1 | grep -- '--with-openssl'

HTTPS Termination

Listening on HTTPS

Configure Squid to accept HTTPS connections using https_port:

https_port 443 cert=/etc/squid/ssl/server.crt key=/etc/squid/ssl/server.key

TLS Protocol Versions

Restrict to TLS 1.2 and above:

https_port 443 \
  cert=/etc/squid/ssl/server.crt \
  key=/etc/squid/ssl/server.key \
  tls-min-version=1.2 \
  options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET

Cipher Suites

Specify strong cipher suites:

https_port 443 \
  cert=/etc/squid/ssl/server.crt \
  key=/etc/squid/ssl/server.key \
  tls-min-version=1.2 \
  cipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 \
  options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET

DH Parameters

Generate and configure DH parameters for forward secrecy:

openssl dhparam -out /etc/squid/ssl/dhparam.pem 2048

https_port 443 \
  cert=/etc/squid/ssl/server.crt \
  key=/etc/squid/ssl/server.key \
  dhparams=/etc/squid/ssl/dhparam.pem \
  tls-min-version=1.2 \
  cipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 \
  options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET

Cache Peer TLS (Backend Encryption)

Encrypt connections to upstream origin servers or parent proxies:

cache_peer backend.example.com parent 443 0 \
  tls \
  sslcert=/etc/squid/ssl/client.crt \
  sslkey=/etc/squid/ssl/client.key \
  sslcafile=/etc/squid/ssl/ca-bundle.crt \
  tls-min-version=1.2

For general origin server connections, set default TLS options:

tls_outgoing_options min-version=1.2
tls_outgoing_options cipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1

HTTPS Interception (SSL Bump)

SSL bumping allows Squid to intercept, decrypt, and inspect HTTPS traffic. This requires generating certificates dynamically for each destination.

SSL bumping breaks end-to-end encryption. Use it only where required by policy and ensure clients trust the Squid CA certificate.

Certificate Authority Setup

Generate a CA certificate for dynamic certificate generation:

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
  -keyout /etc/squid/ssl/squidCA.key \
  -out /etc/squid/ssl/squidCA.crt \
  -subj "/CN=Squid Proxy CA"

Initialize the certificate database:

/usr/lib64/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 64MB
chown squid:squid -R /var/lib/squid/ssl_db

SSL Bump Configuration

# Dynamic certificate generation
sslcrtd_program /usr/lib64/squid/security_file_certgen \
  -s /var/lib/squid/ssl_db -M 64MB

# Intercept port
http_port 3129 intercept
https_port 3130 intercept ssl-bump \
  cert=/etc/squid/ssl/squidCA.crt \
  key=/etc/squid/ssl/squidCA.key \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=16MB \
  tls-min-version=1.2

# Bump rules
acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump bump all

Selective Bumping

Bypass bumping for specific domains (e.g., banking sites):

acl no_bump_sites ssl::server_name .bank.example.com .finance.example.com
ssl_bump splice no_bump_sites
ssl_bump peek step1
ssl_bump bump all

Complete Configuration

# HTTPS termination
https_port 443 \
  cert=/etc/squid/ssl/server.crt \
  key=/etc/squid/ssl/server.key \
  dhparams=/etc/squid/ssl/dhparam.pem \
  tls-min-version=1.2 \
  cipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 \
  options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,NO_TICKET

# HTTP port (redirect to HTTPS or for internal use)
http_port 3128

# Outgoing TLS settings
tls_outgoing_options min-version=1.2
tls_outgoing_options cipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
tls_outgoing_options options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1

# Access controls
acl localnet src 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
http_access allow localnet
http_access deny all

# Cache settings
cache_dir ufs /var/spool/squid 10000 16 256
maximum_object_size 256 MB

# Logging
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log

Verification

Test the configuration syntax:

squid -k parse

Start or reload Squid:

systemctl restart squid

Verify TLS is working:

openssl s_client -connect localhost:443 -tls1_2
openssl s_client -connect localhost:443 -tls1_3

Check the negotiated protocol and cipher:

echo | openssl s_client -connect localhost:443 2>/dev/null | grep -E 'Protocol|Cipher'

Test through the proxy:

curl -x https://proxy.example.com:443 https://www.example.com