Menu
▾
▴
#538 Squid compiled with --enable-ssl and --with-open-ssl options
Hi!
I would like to ask if it's possible to release a patch with Squid compiled with those options:
--enable-ssl --with-open-ssl=/etc/ssl/openssl.cnf
Since it seems that with Squid version 3+ it's possible, through the creation of a private certificate, to enable HTTPS Transparent proxy.
I have found some sites that explain this:
Transparent Squid with http and https - HowTo
Transparent Proxy for HTTP and HTTPS - HowTo 2
SQUID transparent SSL interception - HowTo 3
Squid configuration directive https_port
This where I found the compile options
Thank you!
Hi not sure if this made it into 2.1.8 but for this work you need another option which is /configure --prefix=/usr/local/squid --enable-ssl --enable-ssl-crtd -- to allow for dynamic certificate generation. I would like add my own request for this to regain filtering on search engines and youtube for implimnetation in schools many thanks Tim.
Last edit: Linux_lad 2015-01-29
Hi
So I have not tested this for use with transparent redirection but I have setup explicit proxy using this feature.
Additional options in build process
Edit -
configuration files for the packages are in the trunk/lfs/ directory
vi trunk/lfs/squid
For squid we added exta compile options for ssl_bump
before the disable options
We need the extra file created by these options copying to our build CD/image
vi /trunk/files_i486/03_ipcop>squid-3.x.x.x
add in line
/usr/squid/lib/ssl_crtd
Now build your system from SVN
Installation (as root)
/usr/sbin/squid -k shutdown (squid stop)
./var/log/squid # log files no change
./usr/sbin/squid # main squid code - replace original with mod version
./usr/lib/squid # squid functions - add ssl_crtd
./etc/logrotate.d/squid # no change
./etc/squid # contains configuration options soft link to /var/ipcop/squid.conf
chmod 755 /usr/sbin/squid
chmod 755 /usr/lib/squid/ssl_crtd
~ create a place to store the dynamic certificates, use /var/log/ to allow for flash machines as this will be stored in memory.
~ Then modifie the ownership to match the squid process, this would need to be dome as part of the install process after the intial boot
~ or as Squid is intiallised for the first time
/usr/lib/squid/ssl_crtd -c -s /var/log/ssl_db
chown -R squid:squid ssl_db/
Now create a root CA certificate to sign all of the bump connection, allow ipcop to issue certificates for each of the web sites we visit
cd /var/ipcop/proxy # put the certificate in here for now as this will be backed up automatically
# need to find out why the CA cert from openvpn was not suitable may be permisions
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout proxyCA.pem -out newtonCA.pem
~ Now create a copy which is easily installed on the client machines as a root CA certificate. this will need importing to all clients to avoid SSL errors for every encrypted web site, remember SSL Bump is essentially a man in the middle atyack, your Ipcop will be generating SSL certificated for all of your favourite web sites !
openssl x509 -in proxyCA.pem -outform DER -out proxyCA.der
reboot - Configure options
This can most easily be done in the /var/ipcop/proxy/acls/include.acl add the following to the file, edit to suit your installation and remember to go to the GUI and Save the proxy settings to load this file.
~ set the defaults for ssl_bump
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/log/ssl_db -M 4MB sslcrtd_children 10
~the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
~ add the following to the http_port definition for the required interface
~ ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/ipcop/proxy/proxyCA.pem
~ Bumped requests have relative URLs so Squid has to use reverse proxy
~ or accelerator code. By default, that code denies direct forwarding.
~ The need for this option may disappear in the future.
always_direct allow all
ssl_bump none localhost
ssl_bump server-first all
~ change address to match your green interface - check which port your proxy runs on !
http_port 10.10.20.254:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/ipcop/proxy/proxyCA.pem
~~ change address to match your blue interface - check which port your proxy runs on !
http_port 172.16.20.254:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/var/ipcop/proxy/proxyCA.pem
~
All the files you need are attached for both version 2.1.8 and 2.1.9 make sure you save your original Squid binary first. Best to use the text from inside the attached tar file as comments don't show up correctly here. Good luck to any one who tries it
Last edit: Linux_lad 2015-05-25
Hi
Update for SSL bump - I have successwflly used this for 6 months on a small school network. However I have found an issue with the version of Squid which contains a known Bug in 3.4.12 which affects SSL bump. To fix this I have compiled the fix 3.4.14 and included the required files in the attached archive. You will need to upload and uncompress the archive on your Ipcop. Stop the Proxy from the GUI. then copy the existing squid binary to a safe location for backup along with the existing Squid directory.
As root user
mkdir /backup/sslbump
mv /usr/sbin/squid /backup/sslbump ; # or what ever directy you choose
mv /usr/lib/squid /backup/sslbump/libsquid
from the directory that the new version has been extracted in
mv libsquid /usr/lib/squid
mv squid /usr/sbin/
mv /backup/sslbump/libsquid/'yourcertificate.ca' /usr/sbin/squid ; # place the certificate for SSL bump into the new installation
chmod 755 /usr/sbin/squid ; # change permissions on squid binary
chmod 755 /usr/lib/squid/* ; # change permissions on squid directory items
Restart Squid from the GUI.
Good luck, enjoy