[squid-users] Squid 2.7.s9 HTTPS-proxying - hint welcome

Wed Aug 17 15:23:52 UTC 2016

Dear Mailing List,

older Squid versions have been obsoleted by 3.X and 4.X, I (barely)
dare to ask a 2.X-related question ... For particular reasons, I am
forced to stuck with 2.X: my cache contains objects since 2010, of
personal value. Due to small bandwith (ISDN speed), I use Squid
as a "buffer" for offline browsing, objects are reloaded on request
only (Ctrl-R/ F5).

I managed to build a debianized Version of 2.7.STABLE9-20110824
'--enable-ssl' (OpenSSL 1.0.1t) on Raspbian Jessie in June (an OS/2
build using VAC++ failed in 2013). Duane Wessels' Squid Guide is an
invaluable source - I did not find comparably clear explanations
on SSL/ HTTPS-features on squid-cache.org. In the mail archive,
2.X SSL-related topics are rare.

In brief, I failed to set up SSL-options properly, i.e. the proxy
is still unable to cache HTTPS-URLs by means of Man-in-the-middle-
(MITM-) decryption, i.e. no HTTPS objects never get stored in the
cache. The more and more web pages become secured, bigger and bigger
as well - it is hard to lose information on each reboot.

Configuration (extract from cachmgr.cgi's current configuration):
 acl SSL_ports port 443
 acl Safe_ports port 443
 http_access Deny !Safe_ports
 http_access Deny CONNECT !SSL_ports
 ...
 ssl_unclean_shutdown on
 sslproxy_client_certificate /etc/squid/proxyCert.proxyCertInfo
 sslproxy_client_key /etc/squid/proxyKey.pem
 sslproxy_version 1
 sslproxy_cipher HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
 sslproxy_cafile /etc/ssl/certs/ca-certificates.crt
 sslproxy_capath /etc/ssl/certs
 http_port 0.0.0.0:8080 protocol=http
--- End of current Squid configuration's extract ----
   (Complete configuration available if required.)

The client_certificate "proxyKey.pem" is a 2048 bit RSA key without
pass phrase, signed by a self-created Root CA-certificate. (Appropriate
entries for the sslpassword_program TAG are unknown - Squid stalls when
opening password-protected keys). The extension of client_certificate,
"proxyCert.proxyCertInfo" is inspired by OpenSSL's proxy certificates
HOWTO. The sslproxy_cafile & _capath TAGs point to OpenSSL's CA certs.

I don't understand how clients gain access to Squid's HTTPS-capabilities;
I tried to exclude port 443 from the CONNECTable acl hoping the client
might connect to Squid itself (it didn't). Entries such as
 https_port 443 cert=/etc/squid/proxyCert.proxyCertInfo
      key=/etc/squid/proxyKey.pem dhparams=/etc/squid/proxyDHparam.pem
were unsuccessful as well. If I got things right, the global sslproxy_*
TAGs control how Squid handles DIRECT traffic towards https:// URLs,
whilst https_port defines the proxy as an end point of SSL-connections,
and cache_peer sets up (encryptable) links to other Squids or servers.

Despite sslproxy_* entries, Squid still tunnels HTTPS requests and
DIRECTs them to origin servers. V2.7.s9 lacks features introduced in
newer versions (like SSL Bump), I hope it is at all capable to cache
encrypted data. I'd be glad about feedback pointing out misunderstandings.

OR, is it possible - by contrast to the step from Squid 1.X to 2.X - that
the cache objects' file format did not change since 2.X, which would allow
to use my (precious) objects with, e.g. Squid 3.5? There is a 3.5.19 build
on http://archive.raspbian.org/raspbian/pool/main/s/squid3/, but the
respective dependencies cannot be resolved yet.

Sincerely  Torsten