Search squid archive

Squid 4.4 https_port and ssl-bump : Fatal bungled line

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I'm contacting you for some help.
I need to deploy a secure proxy based on Squid.

I try to use https_port combined with sslbump. I get an error message about a bungled line.

The reasons I want to do this :
- secure connection between the client browser and the proxy server, so using https_port to do it. encrypted  traffic in TLS between the client and the server.
- secure login connection. So I need to use https_port to do this. Otherwise If I use http_port, the login/password can be read on the network.
- Do ssl inspection of the traffic goeing through the proxy


What I have done with success :
- https_port without sslbump  (traffic between the brownser and the client is encrypted. The login/password can't be read on the network)
- ssl-bump on http_port. The ssl inspection is working  ... but the connexion between the browser and the proxy service is not encrypted

But can't get  'https_port 3129 ssl-bump' working.
FATAL: ssl-bump on https_port requires tproxy/intercept which is missing.
FATAL: Bungled squid.conf line 49: https_port 3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-cert=/etc/squid/squid-cert.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem

Is there something  I have misunderstood ? Or doing wrong ?
 
I have generated the certificate and CA with openssl :
* openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout squid-cert.pem -out squid-cert.pem
* openssl x509 -in squid-cert.pem -outform DER -out squid-CA-browser.der
* openssl dhparam -outform PEM -out dhparam.pem 2048

Squid version : 4.4 from EPEL on centos 8 with  '--enable-ssl' '--enable-ssl-crtd' '--with-openssl'

Squid configuration as follow :
===============================================================
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/htpasswd
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl localnet src 0.0.0.1-0.255.255.255
acl localnet src 192.168.0.0/24

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

#squid mgmt interface access
http_access allow localhost manager
http_access deny manager

acl auth_users proxy_auth REQUIRED
http_access allow auth_users

http_access allow localnet
http_access allow localhost

#squid mgmt interface access
http_access allow localhost manager
http_access deny manager

#http_access deny to_localhost
http_access deny all

##Many Tests here :
#http_port 3128 ssl-bump cert=/etc/squid/squid-cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
#http_port 3128 ssl-bump tls-cert=/etc/squid/squid-cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

#http_port 3128 ssl-bump cert=/etc/squid/squid-cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

#https_port 3129 cert=/etc/squid/squid-cert.pem
#https_port 3129 tls-cert=/etc/squid/squid-cert.pem

https_port 3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-cert=/etc/squid/squid-cert.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem

sslcrtd_program /usr/lib64/squid/security_file_certgen

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all



tls_outgoing_options min-version=1.0 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

#LOGS : deux options. Envoie des logs directe
access_log daemon:/var/log/squid/access.log squid
#access_log tcp://[ip]:[port] squid
access_log syslog:local0.info squid
cache_log /var/log/squid/cache.log rotate=10

#Cache
cache_mem 512 MB
cache_dir ufs /var/spool/squid 10000 16 256
coredump_dir /var/spool/squid
===============================================================

Thank you in advance !

Regards,

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux