本来想在路由器上搭个透明代理的，把所有经过路由器，访问外部80，443端口的请求，全部nat转发到squid,然后经由squid的pac域名黑白名单机制按域名路由请求，但是，由于squid本身的设计问题，说是一种安全机制，导致访问某些域名，比如淘宝一系https请求，域名对应的ip是多个的时候，会中断连接，有一种说法，调整终端和路由器dns解析服务器一致，使域名解析到的ip一致，我试过不好用，目前似乎无解。
下面贴一下我的配置，好几天的研究成果，备忘。

visible_hostname localhost
cache_peer 127.0.0.1 parent 8118 0 no-delay no-query name=parent1

http_port 192.168.1.6:3127
http_port 192.168.1.6:3128   intercept 
https_port 192.168.1.6:3129  intercept ssl-bump cert=/usr/local/squid/etc/my.cert key=/usr/local/squid/etc/my.private generate-host-certificates=on

acl blocked  dstdomain "/usr/local/squid/etc/blocked.txt"
never_direct allow blocked 
cache_peer_access parent1 allow blocked 
cache_peer_access parent1 deny  !blocked 

acl step1 at_step SslBump1
ssl_bump peek step1

acl blockedssl ssl::server_name  "/usr/local/squid/etc/blocked.txt"
never_direct allow blockedssl 
cache_peer_access parent1 allow blockedssl 
cache_peer_access parent1 deny  !blockedssl 

acl localnet src 192.168.0.0/16

http_access allow localnet 
http_access allow localhost 


# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid
cache_mem none

refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

参考链接
http://marek.helion.pl/install/squid.html
https://www.linux.org.ru/forum/admin/13521540
https://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
https://docs.netgate.com/pfsense/en/latest/cache-proxy/squid-troubleshooting.html#sites-not-loading-with-splice-error-409-in-access-log