diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index 0cd808839..2de62e336 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -202,10 +202,19 @@
                 <type>checkbox</type>
                 <help><![CDATA[
                   Enable sslbump mode,
-                  which makes the proxy act as a man in the middle between the internet and your clients.
+                  which makes the proxy act as a man in the middle between the internet and your clients.<br/>
                   Be aware of the security implications before enabling this option.
+                  <br/><br/>
+                  Transparent HTTP proxy needs to be enabled and you need nat rules to reflect your traffic
+                  for this feature to work.
                   ]]></help>
             </field>
+            <field>
+                <id>proxy.forward.sslbumpport</id>
+                <label>SSL Proxy port</label>
+                <type>text</type>
+                <help><![CDATA[The port the ssl proxy service will listen to.]]></help>
+            </field>
             <field>
                 <id>proxy.forward.sslcertificate</id>
                 <label>CA to use</label>
@@ -221,7 +230,8 @@
                 <style>tokenize</style>
                 <allownew>true</allownew>
                 <help><![CDATA[
-                  Create a list of sites which may not be inspected, for example bank sites.
+                  Create a list of sites which may not be inspected, for example bank sites.<br/>
+                  Prefix the domain with a . to accept all subdomains (e.g. .google.com).
                   ]]></help>
             </field>
             <field>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index bb89d8426..58a97e37e 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -159,6 +159,13 @@
                 <ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
                 <Required>Y</Required>
             </port>
+            <sslbumpport type="IntegerField">
+                <default>3129</default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>65535</MaximumValue>
+                <ValidationMessage>SSL Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
+                <Required>Y</Required>
+            </sslbumpport>
             <sslbump type="BooleanField">
                 <default>0</default>
                 <Required>Y</Required>
diff --git a/src/opnsense/scripts/proxy/setup.sh b/src/opnsense/scripts/proxy/setup.sh
index 76469628e..d996a88b5 100755
--- a/src/opnsense/scripts/proxy/setup.sh
+++ b/src/opnsense/scripts/proxy/setup.sh
@@ -3,9 +3,9 @@
 SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/ssl /var/squid/logs"
 
 for SQUID_DIR in ${SQUID_DIRS}; do
-	mkdir -p ${SQUID_DIR}
-	chown -R squid:squid ${SQUID_DIR}
-	chmod -R 750 ${SQUID_DIR}
+    mkdir -p ${SQUID_DIR}
+    chown -R squid:squid ${SQUID_DIR}
+    chmod -R 750 ${SQUID_DIR}
 done
 /usr/sbin/pw groupmod proxy -m squid
 /usr/local/sbin/squid -z > /dev/null 2>&1
@@ -14,12 +14,30 @@ done
 # some vague errors.
 sleep 1
 
+# remove ssl certificate store in case the user changed the CA
+if [ -f /usr/local/etc/squid/ca.pem.id ]; then
+    current_cert=`cat /usr/local/etc/squid/ca.pem.id`
+    if [ -d /var/squid/ssl_crtd ]; then
+        if [ -f /var/squid/ssl_crtd.id ]; then
+          running_cert=`cat /var/squid/ssl_crtd.id`
+        else
+          running_cert=""
+        fi
+        if [ "$current_cert" != "$running_cert" ]; then
+            rm -rf /var/squid/ssl_crtd
+        fi
+    fi
+fi
+
 # create ssl certificate store, in case sslbump is enabled we need this
 if [ ! -d /var/squid/ssl_crtd ]; then
-/usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
-chown -R squid:squid /var/squid/ssl_crtd
-chmod -R 750 /var/squid/ssl_crtd
+    /usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
+    chown -R squid:squid /var/squid/ssl_crtd
+    chmod -R 750 /var/squid/ssl_crtd
+    if [ -f /usr/local/etc/squid/ca.pem.id ]; then
+        cat /usr/local/etc/squid/ca.pem.id > /var/squid/ssl_crtd.id
+    fi
 fi
 
 # generate SSL bump certificate
-/usr/local/opnsense/scripts/proxy/generate_cert.php
+/usr/local/opnsense/scripts/proxy/generate_cert.php > /dev/null 2>&1
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index 1051f4ad1..49a07dc1b 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -3,16 +3,18 @@
 # Do not edit this file manually.
 
 {# wrap http_port ssl bump configuration for reuse #}
-{% macro sslbump_httpconfig() -%}
+{% macro sslbump_httpsconfig(network, tags='') -%}
   {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
-  ssl-bump cert=/var/squid/ssl/ca.pem  dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
+https_port {{network}}:{{OPNsense.proxy.forward.sslbumpport|default('3129')}} {{tags}} ssl-bump cert=/var/squid/ssl/ca.pem  dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
   {% endif %}
 {%- endmacro %}
 
 {% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
 # transparent mode, listen on localhost
-http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
-http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
+http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
+{{ sslbump_httpsconfig('127.0.0.1', 'intercept') }}
+http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
+{{ sslbump_httpsconfig('[::1]', 'intercept') }}
 {% endif %}
 
 # Setup listen configuration
@@ -20,14 +22,14 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfi
 {%   for interface in OPNsense.proxy.forward.interfaces.split(",") %}
 {%      for intf_key,intf_item in interfaces.iteritems() %}
 {%          if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
-http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
+http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
 {%          endif %}
 {%      endfor %}
 {# virtual ip's #}
 {%      if helpers.exists('virtualip') %}
 {%          for intf_key,intf_item in virtualip.iteritems() %}
 {%              if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
-http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
+http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
 {%              endif %}
 {%          endfor %}
 {%      endif %}
@@ -50,6 +52,8 @@ ssl_bump splice bump_nobumpsites
 ssl_bump peek bump_step2 bump_nobumpsites
 ssl_bump splice bump_step3 bump_nobumpsites
 ssl_bump bump
+
+sslproxy_cert_error deny all
 {% endif %}
 
 acl ftp proto FTP