4

Debian 10 with squid working as a transparent proxy. Now want to add SSL.

# apt-get install openssl
# mkdir -p /etc/squid/cert
# cd /etc/squid/cert
# openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
# openssl x509 -in myCA.pem -outform DER -out myCA.der
# 

# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 192.168.1.51:3129
# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3129
# iptables-save > /etc/iptables/rules.v4

Question 1: Now what I read says that next I need to

/usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB

however I cannot find security_file_certgen on my system.

Question 2: If I now proceed anyway to add in squid.conf:

https_port 3129 intercept ssl-bump cert=/etc/squid/cert/myCA.pem generate-host-certificates=on

then squid fails to start:

2020/10/07 14:09:27| FATAL: Unknown https_port option 'ssl-bump'.
2020/10/07 14:09:27| FATAL: Bungled /etc/squid/squid.conf line 5: https_port 3129 int
2020/10/07 14:09:27| Squid Cache (Version 4.6): Terminated abnormally.
CPU Usage: 0.017 seconds = 0.017 user + 0.000 sys
Maximum Resident Size: 57792 KB
Page faults with physical i/o: 0
FATAL: Bungled /etc/squid/squid.conf line 5: https_port 3129 intercept ssl-bump cert=
squid.service: Control process exited, code=exited, status=1/FAILURE
squid.service: Failed with result 'exit-code'.
Failed to start Squid Web Proxy Server.

I notice that squid -v contains neither --enable-ssl-crtd nor --with-openssl, but I don't understand what to do about this.

Update

All of the guides on the Internet at the time of writing are obsolete because https://wiki.squid-cache.org/Features/SslBump ssl-bump
has been replaced with https://wiki.squid-cache.org/Features/BumpSslServerFirst server-first and server-first has been replaced with https://wiki.squid-cache.org/Features/SslPeekAndSplice peek-n-splice.

I was hoping this might work that I got from https://serverfault.com/questions/743483/transparent-http-https-domain-filtering-proxy :

https_port 3129 intercept ssl-bump
ssl_bump peek all
ssl_bump splice all

but no:

2020/10/08 09:57:49| FATAL: Unknown https_port option 'ssl-bump'.
2020/10/08 09:57:49| FATAL: Bungled /etc/squid/squid.conf line 6: https_port 3129 int
2020/10/08 09:57:49| Squid Cache (Version 4.6): Terminated abnormally.
CPU Usage: 0.017 seconds = 0.008 user + 0.008 sys
Maximum Resident Size: 57152 KB
Page faults with physical i/o: 0
FATAL: Bungled /etc/squid/squid.conf line 6: https_port 3129 intercept ssl-bump
squid.service: Control process exited, code=exited, status=1/FAILURE
squid.service: Failed with result 'exit-code'.
Failed to start Squid Web Proxy Server.

Update: compiling squid with SSL

# cd ~
# mkdir squid-build
# cd squid-build
# apt-get install openssh-server net-tools
# apt-get install openssl devscripts build-essential fakeroot libdbi-perl libssl-dev# libssl1.0-dev
# apt-get install dpkg-dev
# apt-get source squid
# apt-get build-dep squid
# cd squid-4.6/
# vi debian/rules
# dpkg-source --commit

In debian/rules file add to DEB_CONFIGURE_EXTRA_FLAGS the flags:

--with-default-user=proxy \
--enable-ssl \
--enable-ssl-crtd \
--with-openssl \
--disable-ipv6

...and build...

# debuild -us -uc

...and install...

# cd ..
# pwd 
/root/squid-build
# mv squid3*.deb squid3.deb.NotIncluded
# dpkg -i *.deb

However, still no ssl_crtd.

Has it been renamed to security_file_certgen ? (https://bugzilla.redhat.com/show_bug.cgi?id=1397644)

Update: compiled squid

Got squid compiled and running for HTTP but don't know what to do for HTTPS -- and nor apparently does anyone else. Is it impossible? It seems to be something to do with certificates and squid.conf.

Richard Barraclough
  • 405
  • 1
  • 5
  • 22

3 Answers3

3

This isn't a direct answer to your question as I'm just using squid as a local caching proxy. Regardless, I've posted here as your question was the closest to what I needed and now I've worked it out, I wanted to share.

In Debian 11/Bullseye the package that you want to install is squid-openssl (Squid v4.x compiled --with-openssl).

apt install -y squid-openssl

Then set up the (self-signed) trusted CA cert:

CERT_D=/etc/squid/cert
CERT=$CERT_D/squid_proxyCA.pem
rm -rf $CERT
mkdir -p $CERT_D
# Generate local self-signed CA certificate/key (in the same file)
openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout $CERT -out $CERT
chown -R proxy:proxy $CERT_D
chmod 0400 $CERT

# add squid_proxyCA cert to system so it's trusted by default
CA_CERT_D=/usr/local/share/ca-certificates
rm -rf $CA_CERT_D/*
mkdir -p $CA_CERT_D
openssl x509 -inform PEM -in $CERT -out $CA_CERT_D/squid_proxyCA.crt
update-ca-certificates

Configure squid to generate certs on the fly:

/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
chown -R proxy:proxy /var/spool/squid

Then this is my /etc/squid/squid.conf (note it's pretty minimalist and only accepts connections from localhost and only listens on IPv4):

acl SSL_ports port 443

acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 1025-65535  # unregistered ports

acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access allow purge localhost
http_access deny purge

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access deny all

http_port 127.0.0.1:3128 ssl-bump cert=/etc/squid/cert/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE
ssl_bump bump all

coredump_dir /var/spool/squid
logfile_rotate 0

refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

cache_dir ufs /var/spool/squid 200 16 256

Finally, restart squid:

systemctl reload squid

One other thing worth mentioning is that the proxy URL of http://127.0.0.1:3028 should be used for both the http_proxy, and the https_proxy (note the http - no s; even when used as an https proxy). If/when used with https, Squid will upgrade the connection to use TLS/SSL.

Jeremy Davis
  • 777
  • 8
  • 19
  • 1
    Thanks for your reply and contribution -- it's valuable. – Richard Barraclough Nov 27 '21 at 00:01
  • You're welcome Richard. Thanks for your suggested edit, but I rejected it as your suggested changes were stylistic rather than substantive (i.e. what's there works, changing a directory name and exporting the vars make no functional difference). – Jeremy Davis Dec 01 '22 at 22:04
  • @Compholio: Your edit summary comment says «squid certificates are in "certs", not "cert"». This sounds like a general, global pronouncement, like “configuration files are in `/etc`, not `/etcetera`” or “typically, programs are in `/bin`, not `/been`.” But that’s not what you’re saying, is it?  … (Cont’d) – G-Man Says 'Reinstate Monica' Dec 03 '22 at 09:33
  • (Cont’d) …  Jeremy Davis (the author of the above answer) says “changing a directory name … make[s] no functional difference.” and “your suggested changes were stylistic rather than substantive”. To verify his claim, I found [Create Self-Signed Root CA Certificate](https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Features.2FDynamicSslCert.line-8 "in page “ConfigExamples / Intercept / SslBumpExplicit”, part of the “Squid Web Proxy Wiki” (https://wiki.squid-cache.org/)"), which uses ```/etc/squid/ssl_cert``` and says “(the exact location is not important)”. – G-Man Says 'Reinstate Monica' Dec 03 '22 at 09:33
  • Jeremy Davis: (1) The edit was suggested by user Compholio, not Richard Barraclough.  (A couple of years ago, Stack Exchange, as part of ‘‘We Hate our Users’’ campaign, made Suggested Edits harder to read.)  (2) Compholio’s suggested edit may have been about the fact that your answer runs ``openssl`` with  `-out $CERT` (where `$CERT` is `$CERT_D/squid_proxyCA.pem` and `CERT_D` is `/etc/squid/` ***`cert`*** `/`, so `$CERT` is`/etc/squid/` ***`cert`*** `//squid_proxyCA.pem`) but your `/etc/squid/squid.conf` says `cert=/etc/squid/` ***`certs`*** `//squid_proxyCA.pem`  … (Cont’d) – G-Man Says 'Reinstate Monica' Dec 03 '22 at 09:35
  • (Cont’d) …  (i.e., they don’t match).  (3) As a general scripting advice, if you have a directory name in `$DR` and a plain filename in `$FL`, it’s better to combine them (to form a complete pathname) as `$DR//$FL` rather than `$DR/$FL`.  This is because, if `$DR` is `/` and `$FL` is `tophat`, then `$DR/$FL` becomes `//tophat`, and pathnames beginning with `//` may behave unexpectedly.  (Pathnames beginning with `///` are OK; the `///` is treated as a single `/`.)  Obviously this is not an issue in your script, but it’s good practice to get into good habits. – G-Man Says 'Reinstate Monica' Dec 03 '22 at 09:35
  • Yes, my suggested edit was to fix that one part of the answer used `cert` (where to put the file) and the other part used `certs` (where to find the file) and if you follow the directions exactly (as I did) then you will get an error that squid cannot find the file. Your answer was very helpful though, and would be perfect if the directory matched between the two parts. – Compholio Dec 04 '22 at 14:33
  • @G-ManSays'ReinstateMonica' - thanks for your input. I've had a closer look and I removed the trailing slash from the CERT_D declaration (avoiding double slash later). – Jeremy Davis Dec 05 '22 at 18:56
  • 1
    @Compholio - thanks for your persistence. I found one place where I inadvertently used '/etc/squid/certs' (rather than '/etc/squid/cert'). Hopefully it should be good now!? – Jeremy Davis Dec 05 '22 at 18:57
  • 1
    @JeremyDavis Yup, that works too. Thanks so much for the answer, it saved me a lot of time! – Compholio Dec 06 '22 at 06:33
0
# apt-get install openssl
# mkdir -p /etc/squid/cert
# cd /etc/squid/cert
# openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
# openssl x509 -in myCA.pem -outform DER -out myCA.der
# chown -R proxy:proxy /etc/squid/cert
# chmod 700 /etc/squid/cert

# /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
# chown -R proxy:proxy /var/spool/squid/ssl_db/

And in squid.conf:

https_port 3129 intercept ssl-bump cert=/etc/squid/cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_si
ze=4MB
ssl_bump peek all
ssl_bump splice all

And for interception:

iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 192.168.1.51:3129
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3129

(Here br0 is my internal network.)

Here is a command to see the most commonly cached domains. The SSL ones appear as blanks.

awk 'BEGIN {FS="[ ]+"}; {print $7}' < /var/log/squid/access.log | awk 'BEGIN {FS="/"}; {print $3}' | sort | uniq -c |sort -k1,1nr -k2,2 | head
Richard Barraclough
  • 405
  • 1
  • 5
  • 22
-2

Don't bother; it's a waste of time:

  • Strictly speaking it's a man in the middle attack, and
  • the number of cache hits is miniscule (I suspect that the browser cache is already doing a good job of stuff like the Google logo).
Richard Barraclough
  • 405
  • 1
  • 5
  • 22
  • 1
    These days, Squid is typically used for logging and/or domain whitelisting. Caching is just a nice bonus. – John Heyer Nov 02 '22 at 00:05