Search squid archive

Squid Explicit Proxying

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I use OpenBSD 6.7 with Squid 4.12.
I want to filter http and https website, so i'm trying to use SSL bumping.
But unfortunately, my configuration doesn't work. I explain what i did:

The host is named : proxy.lab.local

I generated the certificate like that:

cd /etc/squid
openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout squid.pem -out squid.pem openssl x509 -in /etc/squid/squid.pem -outform DER -out /etc/squid/browser.der
chown _squid:_squid *.pem

run squid with squid -z && rcctl start squid

no errors.

I installed the browser.der on my Windows 10 laptop (added the proxy), therefore i can't access any webpage.

I tried on the squid server the following tests (curl)

proxy# curl --proxy http://127.0.0.1:3128 https://www.google.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

proxy# curl --proxy http://127.0.0.1:3128 --cacert /etc/squid/squid.pem -l https://www.google.com curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert handshake failure

Can you help me to troubleshoot this issue ?

Thank you very much.

Below my configuration :


proxy# squid -v
Squid Cache: Version 4.12
Service Name: squid

This binary uses LibreSSL 3.1.1. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options: '--disable-strict-error-checking' '--disable-arch-native' '--datadir=/usr/local/share/squid' '--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules' '--enable-arp-acl' '--enable-auth' '--enable-delay-pools' '--enable-digest' '--enable-follow-x-forwarded-for' '--enable-forw-via-db' '--enable-http-violations' '--enable-icap-client' '--enable-ipv6' '--enable-referer-log' '--enable-removal-policies=lru heap' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' '--enable-storeio=aufs ufs diskd' '--with-default-user=_squid' '--with-filedescriptors=8192' '--with-krb5-config=no' '--with-pidfile=/var/run/squid.pid' '--with-pthreads' '--with-swapdir=/var/squid/cache' '--disable-pf-transparent' '--enable-ipfw-transparent' '--enable-external-acl-helpers=SQL_session file_userip time_quota unix_group wbinfo_group LDAP_group eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid' '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var/squid' '--disable-silent-rules' '--disable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe'

proxy# cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN) acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN) acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN) acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN) acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
acl bad_domains dstdomain "/etc/squid/bad_domains"

http_access deny bad_urls
http_access deny bad_domains

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump \
  cert=/etc/squid/squid.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=8MB

sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_db -M 8MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslcrtd_children 5
sslproxy_cert_sign signTrusted

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

cache_mgr support@lab.local
# EOF

Cheers,
Eric
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux