Hi,
I've setup a transparent HTTP+HTTPS proxy on my server running CentOS 7,
using Squid. Here's my configuration file.
--8<----------------------------------------------------------------
# /etc/squid/squid.conf
# Définitions
acl localnet src 192.168.2.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Règles d'accès
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
# Ports du proxy
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
cert=/etc/squid/ssl_cert/nestor.microlinux.lan.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# Emplacement de ssl_crtd et du cache des certificats TLS
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
# SSL-Bump
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
# Taille du cache dans la RAM
cache_mem 2048 MB
# Emplacement et taille du cache sur le disque
# cache_dir ufs /var/spool/squid 100 16 256
# Vidage système
coredump_dir /var/spool/squid
# Durée de vie des fichiers sans date d'expiration
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
--8<----------------------------------------------------------------
First, I tested the configuration in permissive mode, where it works
perfectly. After running it a while, I get the following SELinux alert.
# sealert -a /var/log/audit/audit.log
***** Plugin catchall (17.1 confidence) suggests *****
If you believe that ssl_crtd should be allowed read access on the
index.txt file by default. Then you should report this as a bug. You can
generate a local policy module to allow this access. Do allow this
access for now by executing:
# ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd
# semodule -i my-sslcrtd.pp
Unfortunately the suggested solution doesn't work, because the problem
reappears, and I get all sorts of errors in /var/log/squid/cache.log,
all due to ssl_crtd not being able to access stuff under /var/lib/ssl_db.
Any idea how I can solve this problem permanently ?
Cheers,
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info@xxxxxxxxxxxxx
Tél. : 04 66 63 10 32
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
