[squid-users] Setting up a transparent http and https proxy server using squid 4.6

jean francois hasson jfhasson at club-internet.fr
Mon Jan 4 14:18:41 UTC 2021 

Hi,

Doing the change below works. I can now access ebay.fr through the 
raspberry pi.

Best regards,

JF

Le 04/01/2021 à 13:04, ngtech1ltd at gmail.com a écrit :
>
> Try as test to remove:
>
> ssl_bump terminate all
>
> Ie use only the next bump rules:
>
> ### START
>
> # TLS/SSL bumping definitions
>
> acl tls_s1_connect at_step SslBump1
>
> acl tls_s2_client_hello at_step SslBump2
>
> acl tls_s3_server_hello at_step SslBump3
>
> ssl_bump peek tls_s1_connect
>
> ssl_bump splice all
> ### END
>
> The above is from an example at ufdbguard manual.
>
> Let me know if you are still having issues in full splice mode.
>
> Eliezer
>
> ----
>
> Eliezer Croitoru
>
> Tech Support
>
> Mobile: +972-5-28704261
>
> Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
>
> Zoom: Coming soon
>
> *From:* jean francois hasson <jfhasson at club-internet.fr>
> *Sent:* Monday, January 4, 2021 8:51 AM
> *To:* ngtech1ltd at gmail.com
> *Cc:* squid-users at lists.squid-cache.org
> *Subject:* Re: [squid-users] Setting up a transparent http and https 
> proxy server using squid 4.6
>
> Hi,
>
> Thank you for looking at my question.
>
> I dowloaded the squid 4.6 source code from 
> http://ftp.debian.org/debian/pool/main/s/squid/ 
> <http://ftp.debian.org/debian/pool/main/s/squid/> and selected 
> squid_4.6.orig.tar.gz, squid_4.6-1+deb10u4.debian.tar.xz and 
> squid_4.6-1+deb10u4.dsc. I modified the debian/rules file by adding to 
> DEB_CONFIGURE_EXTRA_FLAGS the following --with-openssl, --enable-ssl 
> and --enable-ssl-crtd.
>
> The squid -v output is :
>
>     Squid Cache: Version 4.6
>     Service Name: squid
>     Raspbian linux
>
>     This binary uses OpenSSL 1.0.2q  20 Nov 2018. For legal
>     restrictions on distribution see
>     https://www.openssl.org/source/license.html
>     <https://www.openssl.org/source/license.html>
>
>     configure options:  '--build=arm-linux-gnueabihf' '--prefix=/usr'
>     '--includedir=${prefix}/include' '--mandir=${prefix}/share/man'
>     '--infodir=${prefix}/share/info' '--sysconfdir=/etc'
>     '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid'
>     '--srcdir=.' '--disable-maintainer-mode'
>     '--disable-dependency-tracking' '--disable-silent-rules'
>     'BUILDCXXFLAGS=-g -O2
>     -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=.
>     -fstack-protector-strong -Wformat -Werror=format-security
>     -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-z,relro -Wl,-z,now
>     -Wl,--as-needed -latomic' 'BUILDCXX=arm-linux-gnueabihf-g++'
>     '--with-build-environment=default' '--enable-build-info=Raspbian
>     linux' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
>     '--libexecdir=/usr/lib/squid' '--mandir=/usr/share/man'
>     '--enable-inline' '--disable-arch-native' '--enable-async-io=8'
>     '--enable-storeio=ufs,aufs,diskd,rock'
>     '--enable-removal-policies=lru,heap' '--enable-delay-pools'
>     '--enable-cache-digests' '--enable-icap-client'
>     '--enable-follow-x-forwarded-for'
>     '--enable-auth-basic=DB,fake,getpwnam,LDAP,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB'
>     '--enable-auth-digest=file,LDAP'
>     '--enable-auth-negotiate=kerberos,wrapper'
>     '--enable-auth-ntlm=fake,SMB_LM'
>     '--enable-external-acl-helpers=file_userip,kerberos_ldap_group,LDAP_group,session,SQL_session,time_quota,unix_group,wbinfo_group'
>     '--enable-security-cert-validators=fake'
>     '--enable-storeid-rewrite-helpers=file'
>     '--enable-url-rewrite-helpers=fake' '--enable-eui' '--enable-esi'
>     '--enable-icmp' '--enable-zph-qos' '--enable-ecap'
>     '--disable-translation' '--with-swapdir=/var/spool/squid'
>     '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid.pid'
>     '--with-filedescriptors=65536' '--with-large-files'
>     '--with-default-user=proxy' '--with-gnutls' '--with-openssl'
>     '--enable-ssl' '--enable-ssl-crtd' '--enable-linux-netfilter'
>     'build_alias=arm-linux-gnueabihf' 'CC=arm-linux-gnueabihf-gcc'
>     'CFLAGS=-g -O2 -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=.
>     -fstack-protector-strong -Wformat -Werror=format-security -Wall'
>     'LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -latomic'
>     'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
>     'CXX=arm-linux-gnueabihf-g++' 'CXXFLAGS=-g -O2
>     -fdebug-prefix-map=/home/pi/build/squid/squid-4.6=.
>     -fstack-protector-strong -Wformat -Werror=format-security'
>
> When I run openssl version I get 1.1.1d.
>
> I hope it helps.
>
> Best regards,
>
> JF
>
> Le 03/01/2021 à 21:55, ngtech1ltd at gmail.com 
> <mailto:ngtech1ltd at gmail.com> a écrit :
>
>     Hey,
>
>     I am missing a bit of the context, like:
>
>     Did you self compiled squid? Is it from the OS repository?
>
>     Squid -v might help a bit to understand what you do have enabled
>     in your Squid.
>
>     Eliezer
>
>     ----
>
>     Eliezer Croitoru
>
>     Tech Support
>
>     Mobile: +972-5-28704261
>
>     Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
>
>     Zoom: Coming soon
>
>     *From:* squid-users <squid-users-bounces at lists.squid-cache.org>
>     <mailto:squid-users-bounces at lists.squid-cache.org> *On Behalf Of
>     *jean francois hasson
>     *Sent:* Thursday, December 31, 2020 11:10 AM
>     *To:* squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     *Subject:* [squid-users] Setting up a transparent http and https
>     proxy server using squid 4.6
>
>     Hi,
>
>     I am trying to create for my home network a transparent proxy to
>     implement filtering rules based on website names mainly.
>
>     I have been looking at using a Raspberry pi 3B+ running pi OS. I
>     configured it to be a Wifi access point using RaspAP quick
>     install. The Wifi network on which the filtering option is to be
>     implemented is with IP 10.3.141.xxx. The router is at address
>     10.3.141.1.
>
>     I have the following squid.conf file which I tried to create based
>     on different mails, websites and blogs I read :
>
>         acl SSL_ports port 443 #https
>         acl SSL_ports port 563 # snews
>         acl SSL_ports port 873 # rsync
>         acl Safe_ports port 80 # http
>         acl Safe_ports port 21 # ftp
>         acl Safe_ports port 443 # https
>         acl Safe_ports port 70 # gopher
>         acl Safe_ports port 210 # wais
>         acl Safe_ports port 1025-65535 # unregistered ports
>         acl Safe_ports port 280 # http-mgmt
>         acl Safe_ports port 488 # gss-http
>         acl Safe_ports port 591 # filemaker
>         acl Safe_ports port 777 # multiling http
>
>         #Le réseau local
>         acl LocalNet src 10.3.141.0/24
>
>         acl bump_step1 at_step SslBump1
>         acl bump_step2 at_step SslBump2
>         acl bump_step3 at_step SslBump3
>
>         #Définition des autorisations
>         http_access deny !Safe_ports
>         #http_access deny CONNECT !SSL_ports
>         http_access allow localhost manager
>         http_access deny manager
>         http_access allow localhost
>         http_access allow LocalNet
>         http_access deny all
>
>         #Définition des ports d'écoute
>         http_port 8080
>         http_port 3128 intercept
>         https_port 3129 intercept ssl-bump \
>           tls-cert=/etc/squid/cert/example.crt \
>           tls-key=/etc/squid/cert/example.key \
>           generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>
>         sslcrtd_program /usr/lib/squid/security_file_certgen -s
>         /var/lib/ssl_db -M 4MB
>         sslcrtd_children 5
>
>         ssl_bump peek all
>         acl tls_whitelist ssl::server_name .example.com
>         ssl_bump splice tls_whitelist
>         ssl_bump terminate all
>
>         coredump_dir /var/spool/squid
>
>         refresh_pattern ^ftp: 1440 20% 10080
>         refresh_pattern ^gopher: 1440 0% 1440
>         refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
>         refresh_pattern . 0 20% 4320
>
>         cache_dir ufs /cache 400 16 256
>         cache_access_log /var/log/squid/access.log
>         cache_effective_user proxy
>
>     If I set up on a device connected to the access point a proxy
>     manually ie 10.3.141.1 on port 8080, I can access the internet. If
>     I put the following rules for iptables to use in files rules.v4 :
>
>     *nat
>     -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT
>     --to-destination 10.3.141.1:3128
>     -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT
>     --to-ports 3128
>     -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT
>     --to-destination 10.3.141.1:3129
>     -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT
>     --to-ports 3129
>     -A POSTROUTING -s 10.3.141.0/24 -o eth0 -j MASQUERADE
>     COMMIT
>     Now, if I remove the manual proxy configuration of the device
>     connected to the access point, I can't connect to the internet. If
>     I leave the manual proxy configuration it does work and there is
>     activity logged in /var/log/squid/access.log.
>
>     Please let me know what might be wrong in my configuration if
>     possible.
>
>     Best regards,
>
>     JF
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210104/c60a3581/attachment-0001.htm>

More information about the squid-users mailing list