pid_filename    /run/squid.pid
cache_dir ufs /tmp/squid/cache 500 16 256
maximum_object_size 4096 KB
coredump_dir /tmp/squid/core
visible_hostname localhost
cache_access_log /tmp/squid/access.log
cache_log /tmp/squid/cache.log

# Access Control lists
acl localhost src 127.0.0.1 ::1
acl manager proto cache_object
acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

http_access allow localhost
http_access deny all
forwarded_for on

# sslcrtd_program /nix/store/nqlqk1f6qlxdirlrl1aijgb6vbzxs0gs-squid-4.17/libexec/security_file_certgen -s /tmp/squid/ssl_db -M 4MB
sslcrtd_children 5

http_port 127.0.0.1:3128 \
  ssl-bump \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=4MB \
  cert=/tmp/squid/myca-mitm.pem

ssl_bump stare all      # mimic the Client Hello, drop unsupported extensions
ssl_bump bump all       # terminate and establish new TLS connection