[squid-users] HTTPS woes

Olly Lennox oliver at lennox-it.uk
Thu Apr 13 16:57:18 UTC 2017 

Hi There,

I've been battling for the last few days on a little project to setup a Raspberry PI device as a small parental blocking server. I've managed to configure the device to work as a transparent proxy using squid which is assigned as the default gateway via DHCP and after a lot of messing about I've finally got to the point where it's routing traffic correctly, proxying and blocking unwanted websites over HTTP.

The problem I have is that for the life of me I cannot get things to work over HTTPS. It's working over the older, insecure web browsers where anything goes but the more modern browsers will not accept the SSL certificates and fail with insecure messages. I've tried various ways of generating a cert and also generating a CA cert and signing my other cert with it to no avail. I've had a mixture of errors back from the browser from WEAK_ALGORITHM to BAD_AUTHORITY to INVALID_CERT.

I've been using openssl to generate self-signed certificates and create a der file. Below is a recent attempt but I've tried lots of different approaches:

------------
openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout squid.key -out squid.crt 
openssl req -new -x509 -key squid.key -out squid.pem 
openssl x509 -in squid.pem -inform pem -out squid.der -outform der
------------


Then my config in Squid is like this, the dhparams file I generated as per instructions in the squid wiki:

------------
http_port 3128 intercept
https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem 

#always_direct allow all 
ssl_bump server-first all 
sslproxy_cert_error allow all 
sslproxy_flags DONT_VERIFY_PEER 
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS 

------------

The only routing rules I'm using are to forward port 80/443 to 3128/2129 respectively and also a POST_ROUTING "masquerade" rule which I got from a guide (and I'm not sure I 100% understand!)
 

Can anyone tell me where I'm going wrong? This is only for use on very small networks (home router + 2 or 3 trusted devices and users) so security between the rPI and the client is not a major concern - I just want it to work in the most simple and foolproof way possible.


Any advice would be very welcome.

Thanks,

Olly
oliver at lennox-it.uk
lennox-it.uk
tel: 07900 648 252

More information about the squid-users mailing list