[squid-users] Unable to Proxy https traffic using squid

crmanik crmanik at gmail.com
Thu Apr 7 00:31:22 UTC 2016 

Hi,

  I'm trying to intercept and proxy https traffic using squid 3.5.15 running
on linux machine [ubuntu ], which   is configured  as a router.  However
with below squid configuration, the browsers in client machine is able to
identify that there is a “man in the middle” and never gives me an option to
accept the certificate generated by squid. Can some one please review the
configuration and let me know what I'm missing:

cat squid.conf

sslcrtd_program
/home/crmanik/squid/squid-3.5.15-20160330-r14015/libexec/ssl_crtd -s
/home/crmanik/tmp/squid/ssl_db -M 4MB
http_port 3128
https_port 3130 intercept ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB key=/home/crmanik/tmp/squid/certs/server.key
cert=/home/crmanik/tmp/squid/certs/server.crt


acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
### New config ends
sslproxy_capath /etc/ssl/certs
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

access_log /home/crmanik/tmp/squid/log/access.log
cache_log  /home/crmanik/tmp/squid/log/cache.log
cache_store_log /home/crmanik/tmp/squid/log/store.log
logfile_rotate 0

===============================================
Squid Compile Option:

Squid Configure Options:Squid Cache: Version 3.5.15-20160330-r14015
Service Name: squid
configure options:  '--disable-dependency-tracking' '--disable-silent-rules'
'--enable-inline' '--enable-async-io=8' '--enable-follow-x-forwarded-for'
'--enable-linux-netfilter' 'CFLAGS=-g -O2 -fPIE -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security' 'LDFLAGS=-Wl,-Bsymbolic-functions -fPIE -pie
-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2
-fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Wformat-security
-Werror=format-security' '--with-openssl'
'--prefix=/home/crmanik/squid/squid-3.5.15-20160330-r14015'
'--enable-ssl-crtd' –enable-ltdl-convenience
================================================
iptable Configuration:
crmanik at crmanik-HP-Z600-Workstation:~/squid/squid-3.5.15-20160330-r14015$
sudo iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 31983 packets, 4632K bytes)
 pkts bytes target     prot opt in     out     source              
destination         
    0     0 REDIRECT   tcp  --  br-lan *       0.0.0.0/0           
0.0.0.0/0            tcp dpt:80 redir ports 3128
  500 30000 REDIRECT   tcp  --  eth1   *       0.0.0.0/0           
0.0.0.0/0            tcp dpt:80 redir ports 3128
 1368 82080 REDIRECT   tcp  --  eth1   *       0.0.0.0/0           
0.0.0.0/0            tcp dpt:443 redir ports 3130

Chain INPUT (policy ACCEPT 32548 packets, 4662K bytes)
 pkts bytes target     prot opt in     out     source              
destination         

Chain OUTPUT (policy ACCEPT 5409 packets, 339K bytes)
 pkts bytes target     prot opt in     out     source              
destination         

Chain POSTROUTING (policy ACCEPT 1293 packets, 83596 bytes)
 pkts bytes target     prot opt in     out     source              
destination         
24520 1537K MASQUERADE  all  --  *      eth0    0.0.0.0/0           
0.0.0.0/0          



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/Unable-to-Proxy-https-traffic-using-squid-tp4676981.html
Sent from the Squid - Users mailing list archive at Nabble.com.

More information about the squid-users mailing list