SSL/TLS Interception Configuration

Overview

The Pimeleon router implements SSL/TLS interception using Squid proxy with dynamic certificate generation, enabling content filtering and inspection of encrypted HTTPS traffic.

Architecture

SSL Bumping Process

Peek: Initial SSL handshake inspection
Splice: Pass-through for bypass sites
Bump: Full SSL interception with certificate generation

Port Configuration

127.0.0.1:31443: Local HTTPS interception
192.168.77.1:31443: Guest VLAN HTTPS interception
127.0.0.1:3128: Standard HTTP proxy
192.168.76.1:3128: Main LAN HTTP proxy

Certificate Management

Dynamic Certificate Generation

Squid generates certificates on-demand for intercepted sites using:

Custom Certificate Authority (CA) certificate
4MB memory cache for generated certificates
Security file certificate generator daemon
8 worker processes for certificate generation

Certificate Authority Setup

Custom CA certificate located at /etc/squid/ssl_cert/myCA.pem enables:

Trusted certificate chain for client browsers
Automatic certificate generation for any domain
Seamless SSL interception without browser warnings

Bypass Configuration

No-Bump Sites

Sites in /etc/squid/nobump_sites.txt bypass SSL interception:

Banking and financial institutions
Sites with certificate pinning
Privacy-sensitive services
Sites requiring client certificates

Splice Logic

SSL bumping uses step-based decision making:

Step 1: Peek at initial handshake
Check against nobump sites list
Splice (bypass) matching sites
Bump (intercept) all other traffic

Integration with Content Filtering

Privoxy Forwarding

Intercepted traffic forwards to Privoxy on port 8118 for:

Ad blocking with advanced filters
Privacy protection and header manipulation
Content modification and injection blocking
JavaScript and tracking prevention

Filtering Chain

Client → Squid SSL Bump → Certificate Generation → Privoxy Filtering → Upstream

Security Considerations

Certificate Trust

Clients must trust the custom CA certificate for transparent operation:

Manual installation on client devices required
Enterprise deployment via group policy
Mobile device configuration profiles
Browser-specific certificate installation

Privacy Balance

SSL interception creates privacy considerations:

Ability to inspect all HTTPS traffic
Logging of decrypted content possible
Trust requirement from network users
Compliance with privacy regulations

Performance Optimization

Certificate Caching

4MB dynamic memory cache prevents regeneration
Startup and idle worker processes for responsiveness
Database storage for persistent certificates
Cache effective user/group permissions

DNS Configuration

IPv4 DNS preference for faster resolution
Custom DNS server (192.168.77.1) for internal resolution
Forwarded-For header deletion for privacy

Access Control

Network Restrictions

localhost and localnet access allowed
All external access denied by default
Safe ports restriction (80, 443, etc.)
CONNECT method control for SSL tunneling

Protocol Handling

Foreign protocol tunneling for unsupported types
Server-first protocol accommodation
FTP direct routing bypass
Error handling for protocol mismatches

Operational Benefits

Content Inspection: Full visibility into HTTPS traffic
Malware Detection: Scan encrypted communications
Policy Enforcement: Block inappropriate HTTPS content
Performance: Caching of frequently accessed resources
Compliance: Meet organizational security requirements

Maintenance Tasks

Regular certificate renewal and rotation
Monitor certificate database size and performance
Update nobump sites list for compatibility
Review and audit interception logs
Performance tuning based on usage patterns

Privoxy for advanced HTTP filtering
Certificate authority management
Network firewall rules for transparent interception
DNS resolution for intercepted domains