Sorry for my 2 cents again, but in order to exlude domains, one could do without tweaking that conf file.
Yep, I've actually started using this for some other things! System Preferences doesn't allow me to use regex patterns, however, and I don't have a way to "build in" those addresses by default.
The way I think of it is, squid.conf is for addresses that
I've decided should always be excluded from the proxy for technical reasons, whereas System Preferences gives
users a way to add additional domains as they see fit.
Here's a support article by Apple which lists ports that should be opened in the event that firewall and other security software are enabled. It doesn't list port 3128, though, but is Squid not coopting it occasionally?
Squid isn't a firewall, and most firewalls don't man-in-the-middle SSL traffic. 3128 is just the default listening port for Squid, it's not something used by Apple.
Squid's documentation is indeed somewhat poor, but it is
very robust, reliable software. It's been around for a long time, and it's used by a lot of large servers/businesses/organizations. I initially tried some alternate proxies (mitmproxy, Charles), and they were slower and buggy.
Intercepting requests does have an inherent performance impact, but it should be minimal, both because Squid is lightweight and because you're running the proxy on your own machine. There's no other way we can practically fix SSL.
(I did initially want to modify Apple's Security Framework instead, to give the OS itself support for newer cipher suites. Unfortunately, just getting the thing to compile ended up being a complete nightmare! I don't know why Apple even bothers releasing source code, when they leave out so much it can't be used for anything...
https://apple.stackexchange.com/a/399650/150839 )