[squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?

j m acctforjunk at yahoo.com
Wed May 24 21:01:53 UTC 2017


Some more info:  I tried this on Firefox 53 and got more feedback, but still doesn't work.  Per the recommendation on bugzilla (bug 378637), I put https://myaddress:myport into firefox and it gives me a "Your connection is not secure".  So I add the exception, and it then displays the squid message "ERROR The requested URL could not be retrieved", as expected.
So I add the proxy to Firefox (in Advanced, Network, Settings) as the HTTP Proxy....doesn't work, "The proxy server is refusing connections".  I then put https:// in front of the address, then it's "Server not found".  I then add it as SSL Proxy.  It appears to be working, but really it's simply not using the proxy at all because I stopped squid and it made no difference.
The link you reference on getting Firefox to work with this refers to Firefox 33, so by now I'd think I could directly add the proxy to the normal place in Firefox options?
squid.conf:
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwdauth_param basic children 5auth_param basic realm Squid proxy-caching web serverauth_param basic credentialsttl 2 hoursauth_param basic casesensitive offacl ncsa_users proxy_auth REQUIREDhttp_access allow ncsa_users
acl auth_users proxy_auth REQUIREDacl SSL_ports port 443
acl Safe_ports port 80        # httpacl Safe_ports port 21        # ftpacl Safe_ports port 443        # httpsacl Safe_ports port 70        # gopheracl Safe_ports port 210        # waisacl Safe_ports port 1025-65535    # unregistered portsacl Safe_ports port 280        # http-mgmtacl Safe_ports port 488        # gss-httpacl Safe_ports port 591        # filemakeracl Safe_ports port 777        # multiling httpacl CONNECT method CONNECThttp_access deny !Safe_portshttp_access deny CONNECT !SSL_portshttp_access allow auth_usershttp_access allow all#http_port 8092https_port 8092 cert=/etc/squid/squid.pemcache deny allaccess_log nonenetdb_filename none

      From: Amos Jeffries <squid3 at treenet.co.nz>
 To: squid-users at lists.squid-cache.org 
 Sent: Wednesday, May 24, 2017 7:57 AM
 Subject: Re: [squid-users] SSL bump, SSL intercept, explicit, secure proxy, what is it called?
   
On 24/05/17 13:44, j m wrote:
> I'd like to set up a proxy on a home server so I can use it remotely 
> for web browsing; no filtering, nothing fancy, just a pass-through of 
> sorts to get around web filters.  That part I've got working.  The 
> part I haven't had luck with is encrypting the browser-to-proxy 
> connection.  I've found some tutorials online but part of the problem 
> is I don't know what this feature is called when searching for 
> solutions to problems.
>
> I have squid 3.5.23 on Ubuntu compiled with
>
> '--with-openssl' '--enable-ssl' '--enable-ssl-crtd'
>
> so I believe I'm set there.  However, upon finally getting a 
> squid.conf that doesn't cause immediate errors when squid is started, 
> I find that the squid process is gone after several seconds and find 
> lots of these in syslog:
>
> (squid-1): The ssl_crtd helpers are crashing too rapidly, need help!
>
> I found a suggestion to fix this problem, but it didn't help:
>
> rc-service squid stop
> rm -rf /var/lib/ssl_db
> /usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db
> rc-service squid start
>
>
> So firstly, what is the actual name for what I want (encrypting proxy 
> to browser)?
>


Some people seem to be calling it "HTTPS", but that is not correct and 
thankfully makes it difficult to find the bad info. (that said our own 
wiki documents it on the HTTPS page referenced below :-P ).

The current IETF term for it is "TLS explicit proxy". Previously it did 
not have a formal term and often got described in words like "TLS proxy" 
or sometimes "TLS to the proxy" and variants switching "SSL" for "TLS". 
It also has some relation to early forms of "HTTP opportunistic 
security" - though that now means an HTTP version of emails STARTTLS 
that is quite unrelated to anything Squid supports at present.



> And secondly, any advice on the error?  Or even better, a good 
> tutorial on setting this up?  I thought if I follow a configuration 
> exactly, I'd be off and running with little problem.
>
>

The ssl_crtd helper in not related to TLS explicit proxy. It is a part 
of SSL-Bump features for intercepting HTTPS traffic, specifically it is 
the part that forges certificates.

You could avoid it entirely by removing the --enable-ssl-crtd build 
option if you don't need SSL-Bump features later. Otherwise check the 
directory creation and ownership permissions are correct and that Squid 
http_port is *not* setup to use ssl-bump features (yet).


The TLS explicit proxy is simply a Squid that uses https_port to receive 
proxy traffic, as opposed to http_port. You will need a server 
certificate for that, but nothing else special on Squid's side of 
things. eg:
  https_port 3128 cert=blah_public.pem key=blah_private.key

The tricky part is getting a browser to talk TLS to anything other than 
origin servers.  The details we know of are all at 
<http://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection>.

Amos

_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20170524/41ba65d5/attachment.html>


More information about the squid-users mailing list