[squid-users] HTTPS woes

Thu Apr 13 18:00:48 UTC 2017


13.04.2017 22:57, Olly Lennox пишет:
> Hi There,
>
> I've been battling for the last few days on a little project to setup a Raspberry PI device as a small parental blocking server. I've managed to configure the device to work as a transparent proxy using squid which is assigned as the default gateway via DHCP and after a lot of messing about I've finally got to the point where it's routing traffic correctly, proxying and blocking unwanted websites over HTTP.
>
> The problem I have is that for the life of me I cannot get things to work over HTTPS. It's working over the older, insecure web browsers where anything goes but the more modern browsers will not accept the SSL certificates and fail with insecure messages. I've tried various ways of generating a cert and also generating a CA cert and signing my other cert with it to no avail. I've had a mixture of errors back from the browser from WEAK_ALGORITHM to BAD_AUTHORITY to INVALID_CERT.
>
> I've been using openssl to generate self-signed certificates and create a der file. Below is a recent attempt but I've tried lots of different approaches:
>
> ------------
> openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout squid.key -out squid.crt 
> openssl req -new -x509 -key squid.key -out squid.pem 
> openssl x509 -in squid.pem -inform pem -out squid.der -outform der
> ------------
>
>
> Then my config in Squid is like this, the dhparams file I generated as per instructions in the squid wiki:
First of all: what's Squid's version?
>
> ------------
> http_port 3128 intercept
> https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl_cert/squid.crt key=/etc/squid3/ssl_cert/squid.key options=NO_SSLv3 dhparams=/etc/squid3/ssl_cert/dhparam.pem 
You squid's built with interception support? show squid -v output.
>
> ssl_bump server-first all 
This  ^^^^^^^^^^^^^^^^^^^^^ option valid only up to Squid 3.4. If you
using 3.5.x, you should use new peek-n-splice rules.
> sslproxy_cert_error allow all 
> sslproxy_flags DONT_VERIFY_PEER 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Don't do this. Never. This force
squid to ignore (and hide) all security issues with SSL from user and
from you.
> sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS 
>
> ------------
>
> The only routing rules I'm using are to forward port 80/443 to 3128/2129 respectively and also a POST_ROUTING "masquerade" rule which I got from a guide (and I'm not sure I 100% understand!)
80/443 should be NATed to squid's box on squid's box.
>  
>
> Can anyone tell me where I'm going wrong? This is only for use on very small networks (home router + 2 or 3 trusted devices and users) so security between the rPI and the client is not a major concern - I just want it to work in the most simple and foolproof way possible.
You doing wrong only one: you not give any important to resolve issue
information.
At least squid's version and build options.
>
> Any advice would be very welcome.
>
> Thanks,
>
> Olly
> oliver at lennox-it.uk
> lennox-it.uk
> tel: 07900 648 252
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

-- 
Bugs to the Future
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x613DEC46.asc
Type: application/pgp-keys
Size: 2437 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170414/2facccdb/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170414/2facccdb/attachment.sig>