aeon mike guide transparent ssl filtering
TRANSCRIPT
AEONMike Guide – SQUID 3.3 SSLBUMP under
Debian
#Michael Cabalin http://www.PH-LWUG.org
Pinoy Linux : http://www.facebook.com/groups/117595725078450/
#Install Debian OS
#apt-get install build-essential gcc make
#wget https://launchpad.net/squid/3.3/3.3.0.3/+download/squid-3.3.0.3.tar.gz
#tar xvf squid-3.3.0.3.tar.gz
#cd squid-3.3.0.3
./configure –enable-icap-client –enable-ssl
make
make install
Generate Self Sign
• self-signed certificate (pem format) generation :
openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout
your.company.com.pem -out your.company.com
• if needed, you can generate the certificate to import on browsers (to avoid the warnings about
the security breach) :
openssl x509 -in www.yourcompany.com.pem -outform DER -out
www.yourcompany.com.der
Onto the actual SQUID configuration. Edit the
/etc/squid.conf file to show the following:
always_direct allow all
ssl_bump allow all
http_port 192.9.200.32:3128 transparent
#the below should be placed on a single line
https_port 192.9.200.32:3129 transparent ssl-bump cert=/etc/squid/ssl_cert/
your.company.com.pem key=/etc/squid/ssl_cert/private/your.company.com.pem
Note you may need to change the “cert=” and the “key=” to point to the correct file in your
environment. Also of course you will need to change the IP address
The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator
mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the
proxy does not know which backend server to use to retrieve the file from, so this directive
instructs the proxy to ignore the accelerator mode. More details on this here:
The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator
mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the
proxy does not know which backend server to use to retrieve the file from, so this directive
instructs the proxy to ignore the accelerator mode. More details on this here:
http://www.squid-cache.org/Doc/config/always_direct/
The second directive (ssl_bump) instructs the proxy to allow all SSL connections, but this can be
modified to restirct access. You can also use the “sslproxy_cert_error” to deny access to sites
with invalid certificates. More details on this here:
http://wiki.squid-cache.org/Features/SslBump
Start squid and check for any errors. If no errors are reported, run:
netstat -nap | grep 3129
to make sure the proxy is up and running. Next, configure iptables to perform destination NAT,
basically to redirect the traffic to the proxy:
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination
192.9.200.32:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination
192.9.200.32:3129
Last thing to be done was to either place the proxy physically in line with the traffic or to redirect
the traffic to the proxy using a router. Keep in mind that the proxy will change the source IP
address of the requests to it’s own IP. In other words, by default it does not reflect the client IP.
That was it in my case. I did try to implement something similar to the above but using explicit
mode. This was my squid.conf file, note only one port is needed for both HTTP and HTTPS
since HTTPS is tunneled over HTTP using the CONNECT method:
always_direct allow all
ssl_bump allow all
#the below should be placed on a single line
http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem
key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem
SSL Filtering example SQUID.Conf
• Squid configuration (squid.conf) :
I post here only important parts.
acl …
acl …
# you must have CONNECT acl
acl CONNECT method CONNECT
acl metrobank dstdomain www.metrobank.com.ph
acl securitybank dstdomain www.securitybank.com.ph
# maybe not in the future, but we need this :
always_direct allow all
# permissions sections (allow / deny)
http_access allow…
http_access allow…
http_access allow…
http_access deny …
http_access deny …
http_access deny …
# some sites need this :
sslproxy_cert_error allow metrobank
#sslproxy_flags DONT_VERIFY_PEER
# ssl_bump means that you want to intercept (MITM) this SSL connection
ssl_bump allow metrobank
ssl_bump allow securitybank
# and we don’t want to intercept others SSL sites :
ssl_bump deny all
# now, you can tell Squid you want to forbid theses HTTPS url :
…
http_access allow localnet
http_access allow localhost
http_access deny all
# tell Squid you want to intercept SSL
# /!\ SSL interception is not compatible with transparent proxy
# so DON’T write here ‘intercept’ (new name for ‘transparent’)
http_port 3128 ssl-bump cert=/path/to/your/self-
signed/cert/www.yourcompany.com.pem