[squid-users] Buy Certificates for Squid 'man in the middle'
angelv
angelvg at gmail.com
Wed Feb 1 20:58:55 UTC 2017
Hi,
I need your advice.
I have a transparent proxy running with the self generated certificates
'myCA.pem', as it is not signed by a valid entity then I have to import the
'myCA.der' certificate in all web browsers ...
I want to know where I can buy a valid certificate that work in Squid.
PD:
The proxy is working great
----------------------------------------------------------------------------------------------
Important information for clarity (FreeBSD, squid-3.5.23 and PF):
Create self-signed certificate for Squid server
# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509
-extensions v3_ca -keyout myCA.pem -out
/usr/local/etc/squid/ssl_cert/myCA.pem -config
/usr/local/etc/squid/ssl_cert/openssl.cnf
# openssl dhparam -outform PEM -out
/usr/local/etc/squid/ssl_cert/dhparam.pem 2048
Create a DER-encoded certificate to import into users' browsers
# openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out
/usr/local/etc/squid/ssl_cert/myCA.der
# edit /usr/local/etc/squid/squid.conf
...
# Squid normally listens to port 3128
http_port 3128
# Intercept HTTPS CONNECT messages with SSL-Bump
#
http_port 3129 ssl-bump intercept \
cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
https_port 3130 ssl-bump intercept \
cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
/usr/local/etc/squid/ssl_db -M 4MB
#
acl step1 at_step SslBump1
#
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
always_direct allow all
#
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
...
PF redirect the traffic to the Squid
# edit /etc/pf.conf
...
# Intercept HTTPS CONNECT messages with SSL-Bump
rdr pass on $int_if inet proto tcp from any to port https \
-> 127.0.0.1 port 3130
rdr pass on $int_if inet6 proto tcp from any to port https \
-> ::1 port 3130
...
----------------------------------------------------------------------------------------------
--
Ángel Villa G.
US +1 (786) 233-9240 | CO +57 (300) 283-6546
angelvg at gmail.com
https://google.com/+AngelVillaG
https://angelcontents.blogspot.com
"We are all atheists about most of the gods that societies have ever
believed in. Some of us just go one god further" - Richard Dawkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170201/d027bd1d/attachment-0001.html>
More information about the squid-users
mailing list