[squid-users] How to setup a secure(!) squid proxy

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 15 17:29:04 UTC 2016 

On 15/01/2016 11:13 p.m., startrekfan wrote:
> Hello
> 
> I`m sorry. I'm not a native speaker so I maybe don't find the right words.
> 
> I'd like to setup a proxy that can scan the incoming traffic for virus
> (squidclamav). To do that for a https/ssl connection I need the squid
> ssl-bump feature or is there an other solution?

Aha. Yes you will need bumping to do that.

> 
> Now I want to setup the ssl-bump feature as safe as using no ssl-bump. Is
> this possible with squid 3.4? (Of course every one who has my CA cert can
> decrypt the traffic, but I keep it safe.)

TLS is a fast changing situation. The golden rule with bumping TLS/HTTPS
is to use the latest Squid release.

If you have any problems first try an upgrade. Things are being improved
constantly and you may even need to go beyond the stable production
release and use the beta development release for some things.
But definitely anything older than the current production release
certainly has TLS related bugs and annoying problems.

3.4 is over a year outdated in its support for TLS features and is
lacking some very major abilities that are critical for smooth port 443
interception. 3.5 is still a bit rough itself, but way better than any
older Squid.


> Squid is communicating with the remote server(webserver). I'd like to have
> at least this communication as safe as using a normal browser.
> 

Leave that until you have a working system. Your end goal is a
complicated setup. Best take it one small step at a time. Especially
since you are new at this.


> Does squid 3.4 do all the necessary steps like checking the certificate
> validity?

Yes, all Squid-2.4+ do unless you configure it not to happen.


> What about advanced features like cert pinning?
> 

Not normally. Cert pinning is a nasty hack browsers do. If you want that
you will have to write a cert validator helper of your own that checks
the pinning.

You will however find that any traffic actually using cert pinning is
not able to be SSL-Bumped. So traffic where bumping succeeds will never
be worth checking for pinning.


> How do I configure ssl virus scanning? Are this steps enough:
> http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

The two are separate things. SSL-Bump decrypts the HTTPS traffic
arriving into Squid. ICAP services doing AV can scan traffic going
through Squid.

This is good. It means you can/should configure one and test it is
working well before trying to start setting up the other.

Amos

More information about the squid-users mailing list