[squid-users] Squid 2.7.s9 HTTPS-proxying - hint welcome
Torsten Kühn
tekuehn at web.de
Wed Aug 17 15:23:52 UTC 2016
Dear Mailing List,
older Squid versions have been obsoleted by 3.X and 4.X, I (barely)
dare to ask a 2.X-related question ... For particular reasons, I am
forced to stuck with 2.X: my cache contains objects since 2010, of
personal value. Due to small bandwith (ISDN speed), I use Squid
as a "buffer" for offline browsing, objects are reloaded on request
only (Ctrl-R/ F5).
I managed to build a debianized Version of 2.7.STABLE9-20110824
'--enable-ssl' (OpenSSL 1.0.1t) on Raspbian Jessie in June (an OS/2
build using VAC++ failed in 2013). Duane Wessels' Squid Guide is an
invaluable source - I did not find comparably clear explanations
on SSL/ HTTPS-features on squid-cache.org. In the mail archive,
2.X SSL-related topics are rare.
In brief, I failed to set up SSL-options properly, i.e. the proxy
is still unable to cache HTTPS-URLs by means of Man-in-the-middle-
(MITM-) decryption, i.e. no HTTPS objects never get stored in the
cache. The more and more web pages become secured, bigger and bigger
as well - it is hard to lose information on each reboot.
Configuration (extract from cachmgr.cgi's current configuration):
acl SSL_ports port 443
acl Safe_ports port 443
http_access Deny !Safe_ports
http_access Deny CONNECT !SSL_ports
...
ssl_unclean_shutdown on
sslproxy_client_certificate /etc/squid/proxyCert.proxyCertInfo
sslproxy_client_key /etc/squid/proxyKey.pem
sslproxy_version 1
sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslproxy_cafile /etc/ssl/certs/ca-certificates.crt
sslproxy_capath /etc/ssl/certs
http_port 0.0.0.0:8080 protocol=http
--- End of current Squid configuration's extract ----
(Complete configuration available if required.)
The client_certificate "proxyKey.pem" is a 2048 bit RSA key without
pass phrase, signed by a self-created Root CA-certificate. (Appropriate
entries for the sslpassword_program TAG are unknown - Squid stalls when
opening password-protected keys). The extension of client_certificate,
"proxyCert.proxyCertInfo" is inspired by OpenSSL's proxy certificates
HOWTO. The sslproxy_cafile & _capath TAGs point to OpenSSL's CA certs.
I don't understand how clients gain access to Squid's HTTPS-capabilities;
I tried to exclude port 443 from the CONNECTable acl hoping the client
might connect to Squid itself (it didn't). Entries such as
https_port 443 cert=/etc/squid/proxyCert.proxyCertInfo
key=/etc/squid/proxyKey.pem dhparams=/etc/squid/proxyDHparam.pem
were unsuccessful as well. If I got things right, the global sslproxy_*
TAGs control how Squid handles DIRECT traffic towards https:// URLs,
whilst https_port defines the proxy as an end point of SSL-connections,
and cache_peer sets up (encryptable) links to other Squids or servers.
Despite sslproxy_* entries, Squid still tunnels HTTPS requests and
DIRECTs them to origin servers. V2.7.s9 lacks features introduced in
newer versions (like SSL Bump), I hope it is at all capable to cache
encrypted data. I'd be glad about feedback pointing out misunderstandings.
OR, is it possible - by contrast to the step from Squid 1.X to 2.X - that
the cache objects' file format did not change since 2.X, which would allow
to use my (precious) objects with, e.g. Squid 3.5? There is a 3.5.19 build
on http://archive.raspbian.org/raspbian/pool/main/s/squid3/, but the
respective dependencies cannot be resolved yet.
Sincerely Torsten
More information about the squid-users
mailing list