[squid-users] Squid Explicit Proxying

Eric F. squid at loel.fr
Tue Aug 25 10:35:57 UTC 2020 

Hi,

I use OpenBSD 6.7 with Squid 4.12.
I want to filter http and https website, so i'm trying to use SSL 
bumping.
But unfortunately, my configuration doesn't work. I explain what i did:

The host is named : proxy.lab.local

I generated the certificate like that:

cd /etc/squid
openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout 
squid.pem -out squid.pem
openssl x509 -in /etc/squid/squid.pem -outform DER -out 
/etc/squid/browser.der
chown _squid:_squid *.pem

run squid with squid -z && rcctl start squid

no errors.

I installed the browser.der on my Windows 10 laptop (added the proxy), 
therefore i can't access any webpage.

I tried on the squid server the following tests (curl)

proxy# curl --proxy http://127.0.0.1:3128 https://www.google.com
curl: (60) SSL certificate problem: self signed certificate in 
certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could 
not
establish a secure connection to it. To learn more about this situation 
and
how to fix it, please visit the web page mentioned above.

proxy# curl --proxy http://127.0.0.1:3128 --cacert /etc/squid/squid.pem 
-l https://www.google.com
curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert 
handshake failure

Can you help me to troubleshoot this issue ?

Thank you very much.

Below my configuration :


proxy# squid -v
Squid Cache: Version 4.12
Service Name: squid

This binary uses LibreSSL 3.1.1. For legal restrictions on distribution 
see https://www.openssl.org/source/license.html

configure options:  '--disable-strict-error-checking' 
'--disable-arch-native' '--datadir=/usr/local/share/squid' 
'--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules' 
'--enable-arp-acl' '--enable-auth' '--enable-delay-pools' 
'--enable-digest' '--enable-follow-x-forwarded-for' 
'--enable-forw-via-db' '--enable-http-violations' '--enable-icap-client' 
'--enable-ipv6' '--enable-referer-log' '--enable-removal-policies=lru 
heap' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' 
'--enable-storeio=aufs ufs diskd' '--with-default-user=_squid' 
'--with-filedescriptors=8192' '--with-krb5-config=no' 
'--with-pidfile=/var/run/squid.pid' '--with-pthreads' 
'--with-swapdir=/var/squid/cache' '--disable-pf-transparent' 
'--enable-ipfw-transparent' '--enable-external-acl-helpers=SQL_session 
file_userip time_quota  unix_group wbinfo_group  LDAP_group 
eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid' 
'--mandir=/usr/local/man' '--infodir=/usr/local/info' 
'--localstatedir=/var/squid' '--disable-silent-rules' 
'--disable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe' 
'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 
'CXXFLAGS=-O2 -pipe'

proxy# cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network 
(LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space 
(CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly 
plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network 
(LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network 
(LAN)
acl localnet src fc00::/7               # RFC 4193 local private network 
range
acl localnet src fe80::/10              # RFC 4291 link-local (directly 
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
acl bad_domains dstdomain "/etc/squid/bad_domains"

http_access deny bad_urls
http_access deny bad_domains

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128 ssl-bump \
   cert=/etc/squid/squid.pem \
   generate-host-certificates=on dynamic_cert_mem_cache_size=8MB

sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s 
/var/squid/ssl_db -M 8MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslcrtd_children 5
sslproxy_cert_sign signTrusted

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

cache_mgr support at lab.local
# EOF

Cheers,
Eric

More information about the squid-users mailing list