loading...
Cover image for Squid Proxy with SSL Bump

Squid Proxy with SSL Bump

suntong profile image suntong ・2 min read

Reposted from Squid Proxy with SSL Bump (26 JANUARY 2014), with slight editing.

The squid proxy is an amazingly powerful web proxy that can be used from anything to captive portals, redirection, user authentification, logging, and so on; but Squid has always had a limitation where SSL was concerned. Prior to version 3.2, Squid’s method of handling SSL was to simply pass through SSL encrypted traffic as it was un-able to do anything with it with out invalidating the SSL chain of trust, alerting the user for every SSL connection.

However post 3.2+ versions allow a bit more control, allowing creating a local certificate authority and generating chained certificates on the fly, but be aware this method still invalidates the SSL chain of trust.

This how-to is about getting squid running with SSL Bump. The first thing we need to do is make sure that the version of squid you are using is greater than 3.3. While 3.2 is capable of this method, the SSL Bump directive has changed as of version 3.3.

The next thing we need to do is generate a local ssl certificate.

# Generate Private Key
openssl genrsa -out example.com.private 2048  

# Create Certificate Signing Request
openssl req -new -key example.com.private -out example.com.csr

Now we need to sign our Certificate Signing Request.

# Sign Certificate
openssl x509 -req -days 3652 -in example.com.csr -signkey example.com.private -out example.com.cert  

Once that is finished,

  • copy the private key and the certificate to some location where squid can access it,
  • make sure to keep your private key some place secure.
  • The certificate will need to be accessible to the squid proxy user, and installed as a Trusted Root Certificate Authority.

As squid generates certificates it stores a copy of each in a cache directory so that it only has to do it once every so often. So we need to set up it’s certificate cache.

# Generate certificate cache
/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
# Change ownership of the certificate cache
chown squid: /var/lib/ssl_db 

That should take care of most of the external squid stuff, lets move into the squid configuration...

Detail of the configuration and their explanations omitted in the post. Check the original if you will.

Discussion

pic
Editor guide