[squid-users] Squid Explicit Proxying
Eric F.
squid at loel.fr
Wed Aug 26 06:58:27 UTC 2020
First, thank you very much for your help, you re awesome !
I can in fact browse HTTP pages, but not HTTPS.
Can i ask you a bit more help :) ?
I applied some changes :
Regarding the certificate, i read the man page
http://man.openbsd.org/ssl
cd /etc/squid
openssl genrsa -out squid.key 4096
openssl req -new -key squid.key -out squid.csr
openssl x509 -sha256 -req -days 365 -in squid.csr -signkey squid.key
-out squid.crt
cat squid.crt squid.key > squid.pem
chown _squid:_squid *.pem
chmod 700 *.pem
openssl x509 -in squid.pem -outform DER -out browser.der
Now when i try : curl --proxy http://127.0.0.1:3128 --cacert
/etc/squid/squid.pem -l https://www.google.com
I get : curl: (60) SSL certificate problem: unable to get local issuer
certificate...
On the Windows 10 laptop, i configured the proxy using inetcpl.cpl see
attached screenshot (IE options).
I also added the browser.der to root certification in the snap
certmgr.msc (see attached screenshot).
On Firefox, I get SEC_ERROR_UNKNOWN_ISSUER when trying to browse https
website.
On Chrome, I get ERR_CONNECTION_CLOSED when trying to browse https
website.
HTTP website is OK.
I enabled the debug in squid.conf like you suggested me :)
Here the squid -k parse :
--8<--
obsd-proxy# squid -k parse
2020/08/26 10:35:44| Startup: Initializing Authentication Schemes ...
2020/08/26 10:35:44| Startup: Initialized Authentication Scheme 'basic'
2020/08/26 10:35:44| Startup: Initialized Authentication Scheme 'digest'
2020/08/26 10:35:44| Startup: Initialized Authentication Scheme
'negotiate'
2020/08/26 10:35:44| Startup: Initialized Authentication Scheme 'ntlm'
2020/08/26 10:35:44| Startup: Initialized Authentication.
2020/08/26 10:35:44| Processing Configuration File:
/etc/squid/squid.conf (depth 0)
2020/08/26 10:35:44| Processing: debug_options ALL,5
2020/08/26 10:35:44| Processing: acl localnet src 0.0.0.1-0.255.255.255
# RFC 1122 "this" network (LAN)
2020/08/26 10:35:44| Processing: acl localnet src 10.0.0.0/8
# RFC 1918 local private network (LAN)
2020/08/26 10:35:44| Processing: acl localnet src 100.64.0.0/10
# RFC 6598 shared address space (CGN)
2020/08/26 10:35:44| Processing: acl localnet src 169.254.0.0/16
# RFC 3927 link-local (directly plugged) machines
2020/08/26 10:35:44| Processing: acl localnet src 172.16.0.0/12
# RFC 1918 local private network (LAN)
2020/08/26 10:35:44| Processing: acl localnet src 192.168.0.0/16
# RFC 1918 local private network (LAN)
2020/08/26 10:35:44| Processing: acl localnet src fc00::/7
# RFC 4193 local private network range
2020/08/26 10:35:44| Processing: acl localnet src fe80::/10
# RFC 4291 link-local (directly plugged) machines
2020/08/26 10:35:44| Processing: acl SSL_ports port 443
2020/08/26 10:35:44| Processing: acl Safe_ports port 80 # http
2020/08/26 10:35:44| Processing: acl Safe_ports port 21 # ftp
2020/08/26 10:35:44| Processing: acl Safe_ports port 443 # https
2020/08/26 10:35:44| Processing: acl Safe_ports port 70 #
gopher
2020/08/26 10:35:44| Processing: acl Safe_ports port 210 # wais
2020/08/26 10:35:44| Processing: acl Safe_ports port 1025-65535 #
unregistered ports
2020/08/26 10:35:44| Processing: acl Safe_ports port 280 #
http-mgmt
2020/08/26 10:35:44| Processing: acl Safe_ports port 488 #
gss-http
2020/08/26 10:35:44| Processing: acl Safe_ports port 591 #
filemaker
2020/08/26 10:35:44| Processing: acl Safe_ports port 777 #
multiling http
2020/08/26 10:35:44| Processing: acl CONNECT method CONNECT
2020/08/26 10:35:44| Processing: http_access deny !Safe_ports
2020/08/26 10:35:44| Processing: http_access deny CONNECT !SSL_ports
2020/08/26 10:35:44| Processing: http_access allow localhost manager
2020/08/26 10:35:44| Processing: http_access deny manager
2020/08/26 10:35:44| Processing: acl bad_urls urlpath_regex -i
"/etc/squid/bad_urls"
2020/08/26 10:35:44| Processing: acl bad_domains dstdomain
"/etc/squid/bad_domains"
2020/08/26 10:35:44| Processing: http_access deny bad_urls
2020/08/26 10:35:44| Processing: http_access deny bad_domains
2020/08/26 10:35:44| Processing: http_access allow localnet
2020/08/26 10:35:44| Processing: http_access allow localhost
2020/08/26 10:35:44| Processing: http_access deny all
2020/08/26 10:35:44| Processing: http_port 3128 ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
tls-cert=/etc/squid/squid.pem
2020/08/26 10:35:44| Processing: acl step1 at_step SslBump1
2020/08/26 10:35:44| Processing: ssl_bump peek step1
2020/08/26 10:35:44| Processing: acl step2 at_step SslBump2
2020/08/26 10:35:44| Processing: ssl_bump stare step2
2020/08/26 10:35:44| Processing: ssl_bump bump all
2020/08/26 10:35:44| Processing: sslcrtd_program
/usr/local/libexec/squid/security_file_certgen -s /var/squid/ssl_db -M
4MB
2020/08/26 10:35:44| Processing: sslcrtd_children 5
2020/08/26 10:35:44| Processing: sslproxy_cert_sign signTrusted
2020/08/26 10:35:44| Processing: coredump_dir /var/squid/cache
2020/08/26 10:35:44| Processing: refresh_pattern ^ftp: 1440
20% 10080
2020/08/26 10:35:44| Processing: refresh_pattern ^gopher: 1440
0% 1440
2020/08/26 10:35:44| Processing: refresh_pattern -i (/cgi-bin/|\?) 0
0% 0
2020/08/26 10:35:44| Processing: refresh_pattern . 0
20% 4320
2020/08/26 10:35:44| Processing: cache_mgr informatique at dmp.re
2020/08/26 10:35:44| Initializing https:// proxy context
2020/08/26 10:35:44| Initializing http_port [::]:3128 TLS contexts
2020/08/26 10:35:44| Using certificate in /etc/squid/squid.pem
2020/08/26 10:35:44| Using certificate chain in /etc/squid/squid.pem
2020/08/26 10:35:44| Adding issuer CA: ...CN=proxy.lab.local...
2020/08/26 10:35:44| Using key in /etc/squid/squid.pem
2020/08/26 10:35:44| Initializing http_port 0.0.0.0:3128 TLS contexts
2020/08/26 10:35:44| Using certificate in /etc/squid/squid.pem
2020/08/26 10:35:44| Using certificate chain in /etc/squid/squid.pem
2020/08/26 10:35:44| Adding issuer CA: ...CN=proxy.lab.local...
2020/08/26 10:35:44| Using key in /etc/squid/squid.pem
2020/08/26 10:35:44.677| 20,5| src/store.cc(352) ~StoreEntry: StoreEntry
destructed, this=0x4b943c9abb0
2020/08/26 10:35:44.678| 83,5| src/security/PeerOptions.h(112)
operator(): SSL_CTX destruct, this=0x4bb9e638b00
2020/08/26 10:35:44.686| 83,5| src/security/PeerOptions.h(112)
operator(): SSL_CTX destruct, this=0x4bc0acfac80
2020/08/26 10:35:44.686| 83,5| src/security/PeerOptions.h(112)
operator(): SSL_CTX destruct, this=0x4bb4a362600
-->8--
squid.conf, now looks like :
--8<--
debug_options ALL,5
#
# Recommended minimum configuration:
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network
(LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space
(CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly
plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network
(LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network
(LAN)
acl localnet src fc00::/7 # RFC 4193 local private network
range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
acl bad_urls urlpath_regex -i "/etc/squid/bad_urls"
acl bad_domains dstdomain "/etc/squid/bad_domains"
http_access deny bad_urls
http_access deny bad_domains
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB \
tls-cert=/etc/squid/squid.pem
acl step1 at_step SslBump1
ssl_bump peek step1
acl step2 at_step SslBump2
ssl_bump stare step2
ssl_bump bump all
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s
/var/squid/ssl_db -M 4MB
sslcrtd_children 5
sslproxy_cert_sign signTrusted
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/squid/cache 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mgr informatique at lab.local
--8<--
Le 2020-08-26 09:36, Amos Jeffries a écrit :
> On 25/08/20 10:35 pm, Eric F. wrote:
> FYI, LibreSSL is not formally supported due to the number of
> behavioural
> differences it now has with OpenSSL. SSL-Bump is a mix of custom Squid
> code and relatively low-level calls into OpenSSL. While LibreSSL
> usually
> builds, we cannot guarantee those low-level calls do what SSL-Bump
> expects.
Which Linux distribution do you advise me ?? Do i need to forget OpenBSD
?
Thank you so much!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cert-added.png
Type: image/png
Size: 2981 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200826/ec6e19ab/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config-proxy-10.png
Type: image/png
Size: 12540 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200826/ec6e19ab/attachment-0003.png>
More information about the squid-users
mailing list