4

Debian 10 with squid working as a transparent proxy. Now want to add SSL.

# apt-get install openssl
# mkdir -p /etc/squid/cert
# cd /etc/squid/cert
# openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
# openssl x509 -in myCA.pem -outform DER -out myCA.der
# 

# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 192.168.1.51:3129
# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3129
# iptables-save > /etc/iptables/rules.v4

Question 1: Now what I read says that next I need to

/usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB

however I cannot find security_file_certgen on my system.

Question 2: If I now proceed anyway to add in squid.conf:

https_port 3129 intercept ssl-bump cert=/etc/squid/cert/myCA.pem generate-host-certificates=on

then squid fails to start:

2020/10/07 14:09:27| FATAL: Unknown https_port option 'ssl-bump'.
2020/10/07 14:09:27| FATAL: Bungled /etc/squid/squid.conf line 5: https_port 3129 int
2020/10/07 14:09:27| Squid Cache (Version 4.6): Terminated abnormally.
CPU Usage: 0.017 seconds = 0.017 user + 0.000 sys
Maximum Resident Size: 57792 KB
Page faults with physical i/o: 0
FATAL: Bungled /etc/squid/squid.conf line 5: https_port 3129 intercept ssl-bump cert=
squid.service: Control process exited, code=exited, status=1/FAILURE
squid.service: Failed with result 'exit-code'.
Failed to start Squid Web Proxy Server.

I notice that squid -v contains neither --enable-ssl-crtd nor --with-openssl, but I don't understand what to do about this.

Update

All of the guides on the Internet at the time of writing are obsolete because https://wiki.squid-cache.org/Features/SslBump ssl-bump
has been replaced with https://wiki.squid-cache.org/Features/BumpSslServerFirst server-first and server-first has been replaced with https://wiki.squid-cache.org/Features/SslPeekAndSplice peek-n-splice.

I was hoping this might work that I got from https://serverfault.com/questions/743483/transparent-http-https-domain-filtering-proxy :

https_port 3129 intercept ssl-bump
ssl_bump peek all
ssl_bump splice all

but no:

2020/10/08 09:57:49| FATAL: Unknown https_port option 'ssl-bump'.
2020/10/08 09:57:49| FATAL: Bungled /etc/squid/squid.conf line 6: https_port 3129 int
2020/10/08 09:57:49| Squid Cache (Version 4.6): Terminated abnormally.
CPU Usage: 0.017 seconds = 0.008 user + 0.008 sys
Maximum Resident Size: 57152 KB
Page faults with physical i/o: 0
FATAL: Bungled /etc/squid/squid.conf line 6: https_port 3129 intercept ssl-bump
squid.service: Control process exited, code=exited, status=1/FAILURE
squid.service: Failed with result 'exit-code'.
Failed to start Squid Web Proxy Server.

Update: compiling squid with SSL

# cd ~
# mkdir squid-build
# cd squid-build
# apt-get install openssh-server net-tools
# apt-get install openssl devscripts build-essential fakeroot libdbi-perl libssl-dev# libssl1.0-dev
# apt-get install dpkg-dev
# apt-get source squid
# apt-get build-dep squid
# cd squid-4.6/
# vi debian/rules
# dpkg-source --commit

In debian/rules file add to DEB_CONFIGURE_EXTRA_FLAGS the flags:

--with-default-user=proxy \
--enable-ssl \
--enable-ssl-crtd \
--with-openssl \
--disable-ipv6

...and build...

# debuild -us -uc

...and install...

# cd ..
# pwd 
/root/squid-build
# mv squid3*.deb squid3.deb.NotIncluded
# dpkg -i *.deb

However, still no ssl_crtd.

Has it been renamed to security_file_certgen ? (https://bugzilla.redhat.com/show_bug.cgi?id=1397644)

Update: compiled squid

Got squid compiled and running for HTTP but don't know what to do for HTTPS -- and nor apparently does anyone else. Is it impossible? It seems to be something to do with certificates and squid.conf.

Improve this question
0

3 Answers 3

Reset to default
8

This isn't a direct answer to your question as I'm just using squid as a local caching proxy. Regardless, I've posted here as your question was the closest to what I needed and now I've worked it out, I wanted to share.

In Debian 11/Bullseye the package that you want to install is squid-openssl (Squid v4.x compiled --with-openssl).

apt install -y squid-openssl

Then set up the (self-signed) trusted CA cert:

CERT_D=/etc/squid/cert
CERT=$CERT_D/squid_proxyCA.pem
rm -rf $CERT
mkdir -p $CERT_D
# Generate local self-signed CA certificate/key (in the same file)
openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout $CERT -out $CERT
chown -R proxy:proxy $CERT_D
chmod 0400 $CERT

# add squid_proxyCA cert to system so it's trusted by default
CA_CERT_D=/usr/local/share/ca-certificates
rm -rf $CA_CERT_D/*
mkdir -p $CA_CERT_D
openssl x509 -inform PEM -in $CERT -out $CA_CERT_D/squid_proxyCA.crt
update-ca-certificates

Configure squid to generate certs on the fly:

/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
chown -R proxy:proxy /var/spool/squid

Then this is my /etc/squid/squid.conf (note it's pretty minimalist and only accepts connections from localhost and only listens on IPv4):

acl SSL_ports port 443

acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 1025-65535  # unregistered ports

acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access allow purge localhost
http_access deny purge

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access deny all

http_port 127.0.0.1:3128 ssl-bump cert=/etc/squid/cert/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE
ssl_bump bump all

coredump_dir /var/spool/squid
logfile_rotate 0

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

cache_dir ufs /var/spool/squid 200 16 256

Finally, restart squid:

systemctl reload squid

One other thing worth mentioning is that the proxy URL of http://127.0.0.1:3028 should be used for both the http_proxy, and the https_proxy (note the http - no s; even when used as an https proxy). If/when used with https, Squid will upgrade the connection to use TLS/SSL.

Improve this answer
10
  • 1
    Thanks for your reply and contribution -- it's valuable. Commented Nov 27, 2021 at 0:01
  • You're welcome Richard. Thanks for your suggested edit, but I rejected it as your suggested changes were stylistic rather than substantive (i.e. what's there works, changing a directory name and exporting the vars make no functional difference). Commented Dec 1, 2022 at 22:04
  • @Compholio: Your edit summary comment says «squid certificates are in "certs", not "cert"». This sounds like a general, global pronouncement, like “configuration files are in /etc, not /etcetera” or “typically, programs are in /bin, not /been.” But that’s not what you’re saying, is it?  … (Cont’d) Commented Dec 3, 2022 at 9:33
  • 1
    @Compholio - thanks for your persistence. I found one place where I inadvertently used '/etc/squid/certs' (rather than '/etc/squid/cert'). Hopefully it should be good now!? Commented Dec 5, 2022 at 18:57
  • 1
    @JeremyDavis Yup, that works too. Thanks so much for the answer, it saved me a lot of time! Commented Dec 6, 2022 at 6:33
0 
# apt-get install openssl
# mkdir -p /etc/squid/cert
# cd /etc/squid/cert
# openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
# openssl x509 -in myCA.pem -outform DER -out myCA.der
# chown -R proxy:proxy /etc/squid/cert
# chmod 700 /etc/squid/cert

# /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
# chown -R proxy:proxy /var/spool/squid/ssl_db/

And in squid.conf:

https_port 3129 intercept ssl-bump cert=/etc/squid/cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_si
ze=4MB
ssl_bump peek all
ssl_bump splice all

And for interception:

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 192.168.1.51:3129
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3129

(Here br0 is my internal network.)

Here is a command to see the most commonly cached domains. The SSL ones appear as blanks.

awk 'BEGIN {FS="[ ]+"}; {print $7}' < /var/log/squid/access.log | awk 'BEGIN {FS="/"}; {print $3}' | sort | uniq -c |sort -k1,1nr -k2,2 | head
Improve this answer
-2

Don't bother; it's a waste of time:

  • Strictly speaking it's a man in the middle attack, and
  • the number of cache hits is miniscule (I suspect that the browser cache is already doing a good job of stuff like the Google logo).
Improve this answer
1
  • 2
    These days, Squid is typically used for logging and/or domain whitelisting. Caching is just a nice bonus. Commented Nov 2, 2022 at 0:05

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.