[squid-users] Buy Certificates for Squid 'man in the middle'

angelv angelvg at gmail.com
Wed Feb 1 20:58:55 UTC 2017


Hi,

I need your advice.

I have a transparent proxy running with the self generated certificates
'myCA.pem', as it is not signed by a valid entity then I have to import the
'myCA.der' certificate in all web browsers ...

I want to know where I can buy a valid certificate that work in Squid.

PD:
The proxy is working great


----------------------------------------------------------------------------------------------
Important information for clarity (FreeBSD, squid-3.5.23 and PF):

Create self-signed certificate for Squid server

# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509
-extensions v3_ca -keyout myCA.pem  -out
/usr/local/etc/squid/ssl_cert/myCA.pem -config
/usr/local/etc/squid/ssl_cert/openssl.cnf

# openssl dhparam -outform PEM -out
/usr/local/etc/squid/ssl_cert/dhparam.pem 2048

Create a DER-encoded certificate to import into users' browsers

# openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out
/usr/local/etc/squid/ssl_cert/myCA.der


# edit /usr/local/etc/squid/squid.conf
...
# Squid normally listens to port 3128
http_port  3128

# Intercept HTTPS CONNECT messages with SSL-Bump
#
http_port  3129 ssl-bump intercept \
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
https_port 3130 ssl-bump intercept \
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
#
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s
/usr/local/etc/squid/ssl_db -M 4MB
#
acl step1 at_step SslBump1
#
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
always_direct allow all
#
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
...

PF redirect the traffic to the Squid

# edit /etc/pf.conf
...
# Intercept HTTPS CONNECT messages with SSL-Bump
rdr pass on $int_if inet  proto tcp from any to port https \
        -> 127.0.0.1 port 3130
rdr pass on $int_if inet6 proto tcp from any to port https \
        -> ::1 port 3130
...
----------------------------------------------------------------------------------------------
-- 
Ángel Villa G.
US +1 (786) 233-9240 | CO +57 (300) 283-6546
angelvg at gmail.com
https://google.com/+AngelVillaG
https://angelcontents.blogspot.com

"We are all atheists about most of the gods that societies have ever
believed in. Some of us just go one god further" - Richard Dawkins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170201/d027bd1d/attachment-0001.html>


More information about the squid-users mailing list