User Tools

Site Tools


Sidebar

software:squid

Table of Contents

squid cert

cd /etc/squid
mkdir ssl_cert
chown squid:squid
chmod 700 ssl_cert
cd ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 \
  -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out myCA.pem

# convert to DER format, which can be imported into client browser
openssl x509 -in myCA.pem -outform DER -out myCA.der

squid installation

# rhel7.3, comes with squid 3.5
yum -y install squid

vi /etc/squid/squid.conf
[..]
#############
# http_port 443 ssl-bump generate-host-certificates=on \
#   dynamic_cert_mem_cache_size=8MB cert=/etc/squid/ssl_cert/myCA.pem

http_port 3128 ssl-bump \
  cert=/etc/squid/ssl_cert/myCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# 3.3
#ssl_bump server-first all
#sslproxy_cert_error allow all
#sslproxy_flags DONT_VERIFY_PEER
#sslcrtd_program /usr/lib64/squid/ssl_crtd -s /etc/squid/var/lib/ssl_db -M 4MB
#sslcrtd_children 50

# For squid 3.5.x
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /etc/squid/var/lib/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

test

  • setup squid in one KVM guest as described above
  • run apache in a second KVM guest
# run this on the host in a terminal, to get the proxy beeing
# used by the openssl command we issue later
proxytunnel -p ip-proxy:3128 -d ip-webserver:443 -a 7000

$ openssl s_client -connect 127.0.0.1:7000
CONNECTED(00000003)
[..]
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
[..]

$ openssl s_client -connect 127.0.0.1:7000 -tls1
CONNECTED(00000003)
[..]
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
[..]
software/squid.txt ยท Last modified: 2017/05/17 07:31 by chris