[squid-users] Squid Explicit Proxying
Eric F.
squid at loel.fr
Tue Aug 25 10:35:57 UTC 2020
Hi,
I use OpenBSD 6.7 with Squid 4.12.
I want to filter http and https website, so i'm trying to use SSL
bumping.
But unfortunately, my configuration doesn't work. I explain what i did:
The host is named : proxy.lab.local
I generated the certificate like that:
cd /etc/squid
openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout
squid.pem -out squid.pem
openssl x509 -in /etc/squid/squid.pem -outform DER -out
/etc/squid/browser.der
chown _squid:_squid *.pem
run squid with squid -z && rcctl start squid
no errors.
I installed the browser.der on my Windows 10 laptop (added the proxy),
therefore i can't access any webpage.
I tried on the squid server the following tests (curl)
proxy# curl --proxy http://127.0.0.1:3128 https://www.google.com
curl: (60) SSL certificate problem: self signed certificate in
certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could
not
establish a secure connection to it. To learn more about this situation
and
how to fix it, please visit the web page mentioned above.
proxy# curl --proxy http://127.0.0.1:3128 --cacert /etc/squid/squid.pem
-l https://www.google.com
curl: (35) error:1401E410:SSL routines:CONNECT_CR_FINISHED:sslv3 alert
handshake failure
Can you help me to troubleshoot this issue ?
Thank you very much.
Below my configuration :
proxy# squid -v
Squid Cache: Version 4.12
Service Name: squid
This binary uses LibreSSL 3.1.1. For legal restrictions on distribution
see https://www.openssl.org/source/license.html
configure options: '--disable-strict-error-checking'
'--disable-arch-native' '--datadir=/usr/local/share/squid'
'--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules'
'--enable-arp-acl' '--enable-auth' '--enable-delay-pools'
'--enable-digest' '--enable-follow-x-forwarded-for'
'--enable-forw-via-db' '--enable-http-violations' '--enable-icap-client'
'--enable-ipv6' '--enable-referer-log' '--enable-removal-policies=lru
heap' '--enable-ssl' '--enable-ssl-crtd' '--with-openssl'
'--enable-storeio=aufs ufs diskd' '--with-default-user=_squid'
'--with-filedescriptors=8192' '--with-krb5-config=no'
'--with-pidfile=/var/run/squid.pid' '--with-pthreads'
'--with-swapdir=/var/squid/cache' '--disable-pf-transparent'
'--enable-ipfw-transparent' '--enable-external-acl-helpers=SQL_session
file_userip time_quota unix_group wbinfo_group LDAP_group
eDirectory_userip' '--prefix=/usr/local' '--sysconfdir=/etc/squid'
'--mandir=/usr/local/man' '--infodir=/usr/local/info'
'--localstatedir=/var/squid' '--disable-silent-rules'
'--disable-gtk-doc' 'CC=cc' 'CFLAGS=-O2 -pipe'
'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++'
'CXXFLAGS=-O2 -pipe'
proxy# cat /etc/squid/squid.conf
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7 # RFC 4193 local private network
range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
acl bad_domains dstdomain "/etc/squid/bad_domains"
http_access deny bad_urls
http_access deny bad_domains
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 ssl-bump \
cert=/etc/squid/squid.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=8MB
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
/var/squid/ssl_db -M 8MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslcrtd_children 5
sslproxy_cert_sign signTrusted
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mgr support at lab.local
# EOF
Cheers,
Eric
More information about the squid-users
mailing list