Hello,
I'm contacting you for some help.
I need to deploy a secure proxy based on Squid.
I try to use https_port combined with sslbump. I get an error message about a bungled line.
The reasons I want to do this :
- secure connection between the client browser and the proxy server, so using https_port to do it. encrypted traffic
in TLS between the client and the server.
- secure login connection. So I need to use https_port to do this. Otherwise If I use http_port, the login/password can be read on the network.
- Do ssl inspection of the traffic goeing through the proxy
What I have done with success :
- https_port without sslbump (traffic between the brownser and the client is encrypted. The login/password can't be read on the network)
- ssl-bump on http_port. The ssl inspection is working ... but the connexion between the browser and the proxy service is not encrypted
But can't get 'https_port 3129 ssl-bump' working.
FATAL: ssl-bump on https_port requires tproxy/intercept which is missing.
FATAL: Bungled squid.conf line 49: https_port 3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-cert=/etc/squid/squid-cert.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem
Is there something I have misunderstood ? Or doing wrong ?
I have generated the certificate and CA with openssl :
* openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout squid-cert.pem -out squid-cert.pem
* openssl x509 -in squid-cert.pem -outform DER -out squid-CA-browser.der
* openssl dhparam -outform PEM -out dhparam.pem 2048
Squid version : 4.4 from EPEL on centos 8 with '--enable-ssl' '--enable-ssl-crtd' '--with-openssl'
Squid configuration as follow :
===============================================================
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/htpasswd
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl localnet src 0.0.0.1-0.255.255.255
acl localnet src 192.168.0.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#squid mgmt interface access
http_access allow localhost manager
http_access deny manager
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access allow localnet
http_access allow localhost
#squid mgmt interface access
http_access allow localhost manager
http_access deny manager
#http_access deny to_localhost
http_access deny all
acl localnet src 192.168.0.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#squid mgmt interface access
http_access allow localhost manager
http_access deny manager
acl auth_users proxy_auth REQUIRED
http_access allow auth_users
http_access allow localnet
http_access allow localhost
#squid mgmt interface access
http_access allow localhost manager
http_access deny manager
#http_access deny to_localhost
http_access deny all
##Many Tests here :
#http_port 3128 ssl-bump cert=/etc/squid/squid-cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
#http_port 3128 ssl-bump tls-cert=/etc/squid/squid-cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
#http_port 3128 ssl-bump cert=/etc/squid/squid-cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
#https_port 3129 cert=/etc/squid/squid-cert.pem
#https_port 3129 tls-cert=/etc/squid/squid-cert.pem
https_port 3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-cert=/etc/squid/squid-cert.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem
sslcrtd_program /usr/lib64/squid/security_file_certgen
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
tls_outgoing_options min-version=1.0 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
#LOGS : deux options. Envoie des logs directe
access_log daemon:/var/log/squid/access.log squid
#access_log tcp://[ip]:[port] squid
access_log syslog:local0.info squid
cache_log /var/log/squid/cache.log rotate=10
#Cache
cache_mem 512 MB
cache_dir ufs /var/spool/squid 10000 16 256
coredump_dir /var/spool/squid
#LOGS : deux options. Envoie des logs directe
access_log daemon:/var/log/squid/access.log squid
#access_log tcp://[ip]:[port] squid
access_log syslog:local0.info squid
cache_log /var/log/squid/cache.log rotate=10
#Cache
cache_mem 512 MB
cache_dir ufs /var/spool/squid 10000 16 256
coredump_dir /var/spool/squid
===============================================================
Thank you in advance !
Regards,
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
