Agreed. I MITM all my own traffic and I only have to exclude a handful of domains or A records on domains to not MITM.

I thought about doing this on my own network (for caching purposes primarily) but I'm concerned about breaking the "end to end" guarantee of TLS.

Essentially, now a separate box on the network has full access to my TLS traffic and if compromised can silently intercept it (and it would be too late by the time I notice).

How do you deal with/rationalize this concern?

I control the box doing the decryption, so it is still my system. I can tell Squid which ciphers are appropriate and whether or not I want to validate the chain or accept anything. All of those controls still exist. But yes, I would be concerned as you are if I were using a proprietary proxy like Bluecoat or Websense.

Honestly curious, why do you MITM all your own traffic? For detailed logging?

Logging, ACL's for some mime types, overriding cache controls, shared cache for multiple devices, blocking some sites that I can't block using DNS.

> shared cache for multiple devices

Oh, that’s a neat one and would be very valuable for me. We have poor internet access at home and would be cool to reduce traffic going out to the net.

Thanks for the reply, appreciate it!

No problem. You can find examples of how to set up Squid-SSL-Bump or I can provide examples if you can't find any.