[squid-users] About intercept https

Yurii yurakirychuk at gmail.com
Tue Feb 25 20:23:21 UTC 2020


squid configuration:
Squid Cache: Version 4.10
Service Name: squid
 
This binary uses OpenSSL 1.1.1  11 Sep 2018. For legal restrictions on
distribution see https://www.openssl.org/source/license.html
 
configure options:  '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man' '--enable-inline'
'--disable-arch-native' '--disable-ipv6' '--enable-async-io=8'
'--enable-storeio=ufs,aufs,diskd,rock' '--enable-removal-policies=lru,heap'
'--enable-delay-pools' '--enable-cache-digests' '--enable-icap-client'
'--enable-follow-x-forwarded-for'
'--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
'--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
'--enable-icmp' '--enable-zph-qos' '--enable-ecap' '--enable-ssl'
'--enable-ssl-crtd' '--with-openssl' '--disable-translation'
'--with-swapdir=/var/spool/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid.pid' '--with-filedescriptors=65536'
'--with-large-files' '--with-default-user=proxy'

ip firewall mangle & route on Mikrotik:
/ip firewall mangle
add chain=prerouting src-address=10.3.198.0/24 dst-port=80 protocol=tcp
action=mark-routing new-routing-mark=to_squid
add chain=prerouting src-address=10.3.198.0/24 dst-port=443 protocol=tcp
action=mark-routing new-routing-mark=to_squid
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.3.198.224
routing-mark=to_squid scope=30 target-scope=10

iptables on Ubuntu:
# redirect HTTP to locally installed Squid instance
iptables -t nat -A PREROUTING -i ens160 -p tcp --dport 80 -j REDIRECT
--to-ports 3129
# redirect HTTPS to locally installed Squid instance
iptables -t nat -A PREROUTING -i ens160 -p tcp --dport 443 -j REDIRECT
--to-ports 3130

access.log:
1581426261.762   7924 10.3.198.8 TCP_TUNNEL/200 4602 CONNECT
facebook.com:443 - ORIGINAL_DST/facebook.com - DNS lookup 1  splice
facebook.com
1581426261.762   2598 10.3.198.8 TCP_TUNNEL/200 105429 CONNECT
www.softserveinc.com:443 - ORIGINAL_DST/www.softserveinc.com - DNS lookup - 
splice www.softserveinc.com
1581426262.495   2073 10.3.198.8 NONE/200 0 CONNECT 185.60.216.35:443 -
HIER_NONE/- - DNS lookup -  splice www.facebook.com
1581426264.059   2101 10.3.198.8 NONE/200 0 CONNECT 185.60.216.19:443 -
HIER_NONE/- - DNS lookup -  splice static.xx.fbcdn.net
1581426267.809     22 10.3.198.8 NONE/200 0 CONNECT 104.17.212.204:443 -
HIER_NONE/- - DNS lookup 22  splice js.hs-scripts.com
1581426269.372   2037 10.3.198.8 NONE/200 0 CONNECT 185.60.216.35:443 -
HIER_NONE/- - DNS lookup -  splice www.facebook.com
1581426269.376   2041 10.3.198.8 NONE/200 0 CONNECT 152.199.19.161:443 -
HIER_NONE/- - DNS lookup -  splice cdn-cws-prod.azureedge.net
1581426270.172   2069 10.3.198.8 NONE/200 0 CONNECT 185.60.216.19:443 -
HIER_NONE/- - DNS lookup -  splice connect.facebook.net
1581426270.206   2103 10.3.198.8 NONE/200 0 CONNECT 216.58.215.78:443 -
HIER_NONE/- - DNS lookup -  splice www.google-analytics.com
1581426270.213   2109 10.3.198.8 NONE/200 0 CONNECT 185.63.144.5:443 -
HIER_NONE/- - DNS lookup 1  splice px.ads.linkedin.com
1581426270.219   2116 10.3.198.8 NONE/200 0 CONNECT 216.58.215.98:443 -
HIER_NONE/- - DNS lookup -  splice googleads.g.doubleclick.net
1581426271.763   7703 10.3.198.8 TCP_TUNNEL/200 443 CONNECT
static.xx.fbcdn.net:443 - ORIGINAL_DST/static.xx.fbcdn.net - DNS lookup - 
splice static.xx.fbcdn.net
1581426271.763   2391 10.3.198.8 TCP_TUNNEL/200 3393 CONNECT
www.facebook.com:443 - ORIGINAL_DST/www.facebook.com - DNS lookup -  splice
www.facebook.com
1581426271.763   1544 10.3.198.8 TCP_TUNNEL/200 2891 CONNECT
googleads.g.doubleclick.net:443 - ORIGINAL_DST/googleads.g.doubleclick.net -
DNS lookup 2  splice googleads.g.doubleclick.net
1581426271.764   1551 10.3.198.8 TCP_TUNNEL/200 4093 CONNECT
px.ads.linkedin.com:443 - ORIGINAL_DST/px.ads.linkedin.com - DNS lookup - 
splice px.ads.linkedin.com
1581426271.764   9268 10.3.198.8 TCP_TUNNEL/200 2012 CONNECT
www.facebook.com:443 - ORIGINAL_DST/www.facebook.com - DNS lookup 1  splice
www.facebook.com
1581426271.764   2388 10.3.198.8 TCP_TUNNEL/200 10117 CONNECT
cdn-cws-prod.azureedge.net:443 - ORIGINAL_DST/cdn-cws-prod.azureedge.net -
DNS lookup -  splice cdn-cws-prod.azureedge.net
1581426271.764   3954 10.3.198.8 TCP_TUNNEL/200 1036 CONNECT
js.hs-scripts.com:443 - ORIGINAL_DST/js.hs-scripts.com - DNS lookup 1 
splice js.hs-scripts.com
1581426271.764   1558 10.3.198.8 TCP_TUNNEL/200 1816 CONNECT
www.google-analytics.com:443 - ORIGINAL_DST/www.google-analytics.com - DNS
lookup -  splice www.google-analytics.com
1581426271.764   1592 10.3.198.8 TCP_TUNNEL/200 150372 CONNECT
connect.facebook.net:443 - ORIGINAL_DST/connect.facebook.net - DNS lookup 2 
splice connect.facebook.net

Squid.conf:

acl localnet src 10.3.198.0/24
 
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
 
acl manager proto cache_object
 
acl whitelist dstdomain "/etc/squid/whitelistssl"
acl blackmails dstdomain "/etc/squid/blackmailssl"
 
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
 
http_access allow whitelist
http_access deny blackmails
 
http_access allow manager localhost
http_access allow localnet
http_access allow localhost
http_access deny all
 
dns_v4_first on
dns_nameservers 10.3.198.254 10.3.102.5 10.3.100.5
 
# debug_options ALL,1 26,2 83,2
 
logfile_rotate 31
 
http_port 10.3.198.224:3128
http_port 10.3.198.224:3129 intercept
https_port 10.3.198.224:3130 intercept ssl-bump \
                                generate-host-certificates=on \
                                dynamic_cert_mem_cache_size=16MB \
                                connection-auth=off
tls-cert=/etc/squid/squidCA.pem
 
acl step1 at_step SslBump1
acl blackmailssl ssl::server_name "/etc/squid/blackmailssl"
 
sslcrtd_program /usr/lib/squid/security_file_certgen -s
/usr/lib/squid/ssl_db -M 8MB
 
ssl_bump peek step1
ssl_bump terminate blackmailssl
ssl_bump splice all
 
cache_dir ufs /var/spool/squid 1024 16 256
maximum_object_size 1 MB
 
coredump_dir /var/spool/squid
 
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320



--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html


More information about the squid-users mailing list