[squid-users] Ubuntu 18 with Squid 4.11 SSL_BUMP

AMead anthony_mead at progressive.com
Wed Apr 29 16:10:35 UTC 2020 

1. Compiled Squid 4.11 on Ubuntu 18 T3 EC2 instance:

./configure \
    --prefix=/usr \
    --exec-prefix=/usr \
    --bindir=/usr/bin \
    --sbindir=/usr/sbin \
    --libdir=/usr/lib \
    --libexecdir=/usr/libexec/squid \
    --includedir=/usr/include \
    --mandir=/usr/share/man \
    --infodir=/usr/share/info \
    --datadir=/usr/share/squid \
    --sysconfdir=/etc/squid \
    --localstatedir=/var \
    --sharedstatedir=/var/lib \
    --with-logdir=/var/log/squid \
    --with-pidfile=/var/run/squid.pid \
    --with-default-user=squid \
    --with-openssl \
    --enable-ssl \
    --enable-ssl-crtd


2. Initialized the ssl database:

sudo /usr/libexec/squid/security_file_certgen -c -s /var/cache/squid/ssl_db
-M 4MB


3. I've tried to read through a few similar posts, and got something
reasonably working for the allowance, but now it's appearing to allow
everything:

> /etc/squid/whitelist.txt
*.github.com

> /etc/squid/squid.conf

visible_hostname squid
cache deny all

# Handling HTTP requests
http_port 3128
http_port 3129 intercept
acl allowed_http_sites dstdomain "/etc/squid/whitelist.txt"
http_access allow allowed_http_sites

# Handling HTTPS requests
acl SSL_port port 443
http_access allow SSL_port

https_port 3130 intercept ssl-bump    \
        cert=/etc/squid/ssl/squid.pem \
        # generate-host-certificates=on \ # Defaulted with 4.11
        dynamic_cert_mem_cache_size=16MB

# HTTPS - Peek & Splice
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

# Alex R
# 10.0.1.93 NONE_ABORTED/200 0 CONNECT 209.216.230.240:443 - HIER_NONE/- -
#
http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-6-Transparent-HTTP-amp-HTTPS-Proxy-td4687578.html
#ssl_bump peek step1
#ssl_bump peek step2 allowed_https_sites
#ssl_bump terminate step2
#ssl_bump splice all

# Berger
# 10.0.1.93 NONE_ABORTED/200 0 CONNECT 209.216.230.240:443 - HIER_NONE/- -
#
http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-4-1-transparent-https-issue-quot-curl-60-SSL-certificate-problem-self-signed-certificate-in-ce-td4688553.html
#ssl_bump peek step1 all
#ssl_bump peek step2 allowed_https_sites
#ssl_bump splice step3 allowed_https_sites
#ssl_bump terminate

#dkanejs
# 10.0.1.93 TCP_TUNNEL/200 25082 CONNECT 185.199.111.153:443
# Allows https://example.com, https://github.com, but not
https://news.ycombinator.com
ssl_bump peek all
acl allowed_https_sites ssl::server_name "/etc/squid/whitelist.txt"
ssl_bump splice allowed_https_sites
ssl_bump terminate all

http_access deny all




--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html

More information about the squid-users mailing list