Configure SSL Bump on squid 3.3

From Hawk Wiki
Revision as of 02:01, 13 August 2015 by Hall (Talk | contribs) (Created page with "<pre>yum -y install squid</pre> https://www.digitalocean.com/community/tutorials/how-to-install-squid-proxy-on-centos-6 Generate self signed certificate <pre> openssl req -ne...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search 
yum -y install squid

https://www.digitalocean.com/community/tutorials/how-to-install-squid-proxy-on-centos-6

Generate self signed certificate 

openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout squid.pem  -out squid.pem
openssl x509 -in myca.pem -outform DER -out myca.der

Edit squid.conf 

sudo vim /etc/squid/squid.conf

Add/Edit the following items to enable sslbump 

http_port 9876 ssl-bump cert=/path/squid.pem
# allow all for testing
http_access allow all
# Bumped requests have relative URLs so Squid has to use reverse proxy
# or accelerator code. By default, that code denies direct forwarding.
# The need for this option may disappear in the future.
always_direct allow all

acl broken_sites dstdomain .apple.com .itunes.com
ssl_bump none broken_sites
ssl_bump client-first all

I met a problem after start squid with ssl bump. In /var/log/squid/cache.log 

2015/08/12 21:42:13 kid1| /var/lib/ssl_db: (2) No such file or directory
2015/08/12 21:42:13 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".

Then I did 

/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

Then restart squid 

sudo service squid start
Retrieved from "http://wiki.hawkguide.com/index.php?title=Configure_SSL_Bump_on_squid_3.3&oldid=490"