User Tools

Site Tools


software:squid

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

software:squid [2017/05/17 07:31] (current)
chris created
Line 1: Line 1:
 +===== squid cert =====
 +  * http://​wiki.squid-cache.org/​ConfigExamples/​Intercept/​SslBumpExplicit
 +<​code>​
 +cd /etc/squid
 +mkdir ssl_cert
 +chown squid:squid
 +chmod 700 ssl_cert
 +cd ssl_cert
 +openssl req -new -newkey rsa:2048 -sha256 -days 365 \
 +  -nodes -x509 -extensions v3_ca -keyout myCA.pem ​ -out myCA.pem
  
 +# convert to DER format, which can be imported into client browser
 +openssl x509 -in myCA.pem -outform DER -out myCA.der
 +</​code>​
 +
 +===== squid installation =====
 +<​code>​
 +# rhel7.3, comes with squid 3.5
 +yum -y install squid
 +
 +vi /​etc/​squid/​squid.conf
 +[..]
 +#############​
 +# http_port 443 ssl-bump generate-host-certificates=on \
 +#   ​dynamic_cert_mem_cache_size=8MB cert=/​etc/​squid/​ssl_cert/​myCA.pem
 +
 +http_port 3128 ssl-bump \
 +  cert=/​etc/​squid/​ssl_cert/​myCA.pem \
 +  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
 +
 +# 3.3
 +#ssl_bump server-first all
 +#​sslproxy_cert_error allow all
 +#​sslproxy_flags DONT_VERIFY_PEER
 +#​sslcrtd_program /​usr/​lib64/​squid/​ssl_crtd -s /​etc/​squid/​var/​lib/​ssl_db -M 4MB
 +#​sslcrtd_children 50
 +
 +# For squid 3.5.x
 +sslcrtd_program /​usr/​lib64/​squid/​ssl_crtd -s /​etc/​squid/​var/​lib/​ssl_db -M 4MB
 +acl step1 at_step SslBump1
 +ssl_bump peek step1
 +ssl_bump bump all
 +
 +</​code>​
 +
 +===== test =====
 +  * setup squid in one KVM guest as described above
 +  * run apache in a second KVM guest
 +<​code>​
 +# run this on the host in a terminal, to get the proxy beeing
 +# used by the openssl command we issue later
 +proxytunnel -p ip-proxy:​3128 -d ip-webserver:​443 -a 7000
 +
 +$ openssl s_client -connect 127.0.0.1:​7000
 +CONNECTED(00000003)
 +[..]
 +SSL-Session:​
 +    Protocol ​ : TLSv1.2
 +    Cipher ​   : AES256-GCM-SHA384
 +[..]
 +
 +$ openssl s_client -connect 127.0.0.1:​7000 -tls1
 +CONNECTED(00000003)
 +[..]
 +SSL-Session:​
 +    Protocol ​ : TLSv1
 +    Cipher ​   : AES256-SHA
 +[..]
 +</​code>​
software/squid.txt ยท Last modified: 2017/05/17 07:31 by chris