0
A+ A-

notification security https / ssl
The experiment continues to make transparent proxy https / ssl. Same as previous post. Look at "How to make Squid 3.1.23 as Tproxy (Transparent Proxy) in Centos 6.4". Do the step 1 and 2, ie install shorewall and install dhcp server. Then continue with the next steps. 

Install openssl
yum install openssl openssl-devel
cd /etc/squid/
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myconfigure.pem -out myconfigure.pem
Then you will be asked to enter information for your certificate request. Just enter, enter and enter to leave blank.
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
#

Install Squid
In this experiment, for making transparent proxy, I use squid version 3.3.5. Configure the squid 3.3.5, make sure option --enable-icap-client   --enable-ssl , is exist.
cd /usr/local/squid-3.3.5
./configure --prefix=/usr --exec-prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc/squid --datadir=/usr/share/squid --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/lib/squid --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --x-includes=/usr/include --x-libraries=/usr/lib --enable-shared=yes --enable-static=no --enable-carp --enable-storeio=aufs,ufs --enable-removal-policies=heap,lru --disable-icmp --disable-delay-pools --disable-esi --enable-icap-client --enable-useragent-log --enable-referer-log --disable-wccp --enable-wccpv2 --disable-kill-parent-hack --enable-snmp --enable-cachemgr-hostname=localhost --enable-arp-acl --disable-htcp --disable-forw-via-db --enable-follow-x-forwarded-for --enable-cache-digests --disable-poll --enable-epoll --enable-linux-netfilter --disable-ident-lookups --enable-default-hostsfile=/etc/hosts --with-default-user=squid --with-large-files --enable-mit=/usr --with-logdir=/var/log/squid --enable-http-violations --enable-zph-qos --with-filedescriptors=65536 --enable-gnuregex --enable-async-io=64 --with-aufs-threads=64 --with-pthreads --with-aio --enable-default-err-languages=English --enable-err-languages=English --disable-hostname-checks --enable-underscores --enable-ssl ; make; make install

useradd squid
touch /etc/squid/noway
cd /etc/squid/
mkdir swap
chown squid:squid /etc/squid/swap
mkdir /cache
chown squid:squid /cache
chown -Rf squid:squid /var/log/squid/
cd /etc/squid/
mv squid.conf squid.conf.old
vim squid.conf

For squid configuration, take it from http://myconfigure.blogspot.com/2013/03/squid-332-328-example-squidconf.html. Then look again at squid.conf, some variable must be change. Make sure some variable below is exist.
acl bamboe src 192.168.10.0/24
http_port 3128
http_port 3127 intercept
https_port 3129 intercept ssl-bump cert=/etc/squid/myconfigure.pem key=/etc/squid/myconfigure.pem
ssl_bump allow all
always_direct allow all
##update##updaate##update##
If you get error like below, 
SECURITY NOTICE: auto-converting deprecated "ssl_bump allow <acl>" to "ssl_bump client-first <acl>" which is usually inferior to the newer server-first bumping mode. Update your ssl_bump rules. 
Fix it with changing
ssl_bump allow all 
To
ssl_bump client-first all

For startup squid, you can take it http://myconfigure.blogspot.com/2012/03/missing-file-startup-squid.html.
vim /etc/init.d/squid
chmod 755 /etc/init.d/squid
chkconfig --add  squid
chkconfig  --level 235 squid on
squid -z
/etc/init.d/squid start

Reconfigure shorewall.
Remember, I assume, you have installed shorewall, as I asked from the beginning ( step 1, at "How to make Squid 3.1.23 as Tproxy (Transparent Proxy) in Centos 6.4" ). And then we just need to reconfigure the shorewall, like below.
rules
REDIRECT        loc     3127    tcp     www     -
REDIRECT        loc     3129    tcp     443     -

Because, my squid version is 3.3.x, and then I just want to make Transparent Proxy, not Tproxy, so, in shorewall configuration folder, remove the content of file, providers and tcrules. Make sure both file  is empty contents.  
Done. After restart, from user computer, try to browse any site https (email yahoo, email google, or facebook). For example, browse to https://mail.google.com, or https://www.facebook.com. If you can connect to the site https,  and then you will get notification about security, like picture above, that’s mean squid has successful configured with option ssl_bump as transparent proxy ssl. Traffic headed to port 443 / https, currently must go through squid proxy to get to the destination.You can view users who active access to internet through proxy, with command.
tail –f /var/log/squid/access.log
1369742866.442    710 192.168.10.200 TCP_MISS/200 503 GET https://mail.google.com/mail/channel/test? - HIER_DIRECT/173.194.38.182 text/plain
1369742866.468    772 192.168.10.200 TCP_MISS/200 3890 POST https://mail.google.com/mail/? - HIER_DIRECT/173.194.38.182 text/javascript
1369742867.154    619 192.168.10.200 TCP_MISS/200 1737 POST https://mail.google.com/mail/? - HIER_DIRECT/173.194.38.182 text/javascript
1369742867.838    652 192.168.10.200 TCP_MISS/200 1441 POST https://mail.google.com/mail/? - HIER_DIRECT/173.194.38.182 text/javascript
1369742868.695    820 192.168.10.200 TCP_MISS/200 6918 POST https://mail.google.com/mail/? - HIER_DIRECT/173.194.38.182 text/javascript

Noted.
For Squid versions 3.1 and 3.2, both of them can be used, should be no problem. I was just starting to experiment with making transparent https / ssl. Probably much less configuration and less security. Please info, if there is a better option.

Reference
http://wiki.squid-cache.org/Features/DynamicSslCert. I edit some variables according my experiments.
Posted by
Share to:

Post a Comment

Subscribe to: Post Comments (Atom)
 
Top