3

Squid 3 with SSL Bumping and Dynamic Certificates generation

0 Flares Filament.io 0 Flares ×

This document guide you how to configure squid with SSL Bumping with Dynamic Certificates generation on Debian 7.

First download Squid 3.4 source code from the official site and extract it

wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.10.tar.gz
tar -zxvf squid-3.4.10.tar.gz

Install required packages.

apt-get install build-essential libssl-dev

cd to squid-3.4.10 folder configure it.

./configure --prefix=/usr/local/squid --enable-icap-client --enable-ssl --enable-ssl-crtd --with-default-user=squid

Now compile and install it.

make all
make install

Once install create a new user and own squid’s logs file directory.

useradd squid
chown -R squid:squid /usr/local/squid/var/logs/

Before starting squid create the swap directories.

/usr/local/squid/sbin/squid -z

Now start the squid process

/usr/local/squid/sbin/squid

If there is any issue debug it.

/usr/local/squid/sbin/squid -k parse
/usr/local/squid/sbin/squid -NCd1

Now you should have squid running on 3128 port and in order for SSL bumping and dynamic certificates generation you have to create your own CA (certificate Authority).

mkdir /usr/local/squid/ssl_cert
cd /usr/local/squid/ssl_cert
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem

Now we need to modify squid.conf, open it and make below changes.

http_port 3128 transparent
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5

Now we need to perform few more steps for above.

mkdir /usr/local/squid/var/lib
/usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db -M 4MB
chown -R squid:squid /usr/local/squid/var/lib/ssl_db/

Restart squid with ‘/usr/local/squid/sbin/squid -NCd1‘. You should be able to see something like below in the end.

Accepting NAT intercepted HTTP Socket connections at local=[::]:3128 remote=[::] FD 18 flags=41
2014/12/13 13:41:54| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=[::]:3127 remote=[::] FD 19 flags=41

If all good so far your squid configuration is completed but you need few more steps in order to use it transparently.

Enable IP Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

Configure iptables to accept and forward connections to squid.

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127
iptables -I INPUT -p tcp -m tcp --dport 3127 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 3128 -j ACCEPT

Now you need to point your client gateway to squid box and install the CA certificate in your browser’s certificate store to avoid certificate warnings.

0 Flares Twitter 0 Facebook 0 LinkedIn 0 Google+ 0 Filament.io 0 Flares ×

3 Comments

  1. Additional notes about this:
    groupadd squid
    useradd squid -g squid -d /usr/local/squid -s /usr/sbin/nologin
    chown -R squid:squid /usr/local/squid/var/cache

Leave a Reply

Your email address will not be published. Required fields are marked *