I have compiled and installed SQUID_4.11-3 with SSL, CRTD on debian10 and here is my configuration -
##### SQUID.CONF SNAPSHOT (START) ######
# Manual connection on 3128
http_port 3128
# Standard intercept
http_port 3129 intercept
# intercept & bump SSL connections
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/squid-ca-cert-key.pem dhparams=/usr/local/etc/squid/certs/dhparam.pem
sslcrtd_children 5
tls_outgoing_options cafile=/etc/ssl/certs/ca-certificates.crt
tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
acl foreignProtocol squid_error ERR_PROTOCOL_UNKNOWN ERR_TOO_BIG
acl serverTalksFirstProtocol squid_error ERR_REQUEST_START_TIMEOUT
on_unsupported_protocol tunnel foreignProtocol
on_unsupported_protocol tunnel serverTalksFirstProtocol
on_unsupported_protocol tunnel all
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
#acl noBumpSites ssl::server_name_regex -i "/etc/squid/url.nobump"
acl noBumpSites ssl::server_name .app.seesaw.me .schoology.com .dropbox.com
ssl_bump peek step1 all
ssl_bump peek step2 noBumpSites
ssl_bump splice step3 noBumpSites
ssl_bump stare step2
ssl_bump bump step3
##### CONFIG SNAPSHOT (END) ######
I created the certificates by doing the following -
openssl dhparam -outform PEM -out dhparam.pem 2048
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.pem -out squid-ca-cert.pem
cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem
chown proxy:proxy /etc/squid/ssl/dhparam.pem
chown proxy:proxy /etc/squid/ssl/squid-ca-key.pem
chmod 400 dhparam.pem
chmod 400 squid-ca-key.pem
/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
chown -R proxy:proxy /etc/squid/ssl
chown -R proxy:proxy /var/spool/squid/ssl_db
openssl x509 -hash -fingerprint -noout -in /etc/ssl/certs/ca-certificates.crt
### for my firewall, I issued this
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -s 192.168.10.0/24 -j ACCEPT
iptables -A INPUT -j ACCEPT -p tcp --dport 3128 -m comment --comment "squid http proxy"
iptables -A INPUT -j ACCEPT -p tcp --dport 3129 -m comment --comment "squid http proxy (intercept)"
iptables -A INPUT -j ACCEPT -p tcp --dport 3130 -m comment --comment "squid https proxy (intercept"
iptables -t nat -A PREROUTING -m iprange --src-range 192.168.10.8-192.168.10.30 -p tcp --dport 80 -m comment --comment "transparent http proxy" -j DNAT --to-destination 192.168.10.8:3129
iptables -t nat -A PREROUTING -m iprange --src-range 192.168.10.8-192.168.10.30 -p tcp --dport 443 -m comment --comment "transparent https proxy" -j DNAT --to-destination 192.168.10.8:3130
### I can browse https on laptops BUT when I used IOS devices or android, I get errors with this -
1589083941.053 1 192.168.10.15 NONE_ABORTED/200 0 CONNECT 157.240.18.35:443 - HIER_NONE/- -
1589083941.072 4 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- -
1589083941.205 5 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- -
1589083941.860 32 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.232.0:443 - HIER_NONE/- -
1589083941.862 4 192.168.10.10 NONE_ABORTED/200 0 CONNECT 54.239.27.116:443 - HIER_NONE/- -
1589083941.864 38 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- -
1589083941.983 5 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- -
1589083942.642 20 192.168.10.10 NONE_ABORTED/200 0 CONNECT 54.239.27.116:443 - HIER_NONE/- -
1589083942.645 48 192.168.10.10 NONE_ABORTED/200 0 CONNECT 52.94.224.113:443 - HIER_NONE/- -
What am I doing it wrong? I read everything about ssl bump, etc. with these links
- https://wiki.squid-cache.org/Features/SslPeekAndSplice
- https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
If anyone can point to me what's wrong with my squid.conf configuration or can provide me with a working squid.conf for ssl_bump, I will be indebted to you.
Thanks.
Jeremy
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
