Configure SSL Bump on squid 3.3

From Hawk Wiki
Revision as of 05:11, 13 August 2015 by Hall (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Squid and ssl bump

yum -y install squid

https://www.digitalocean.com/community/tutorials/how-to-install-squid-proxy-on-centos-6

Generate self signed certificate

openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout squid.pem  -out squid.pem
openssl x509 -in myca.pem -outform DER -out myca.der

Edit squid.conf

sudo vim /etc/squid/squid.conf

Add/Edit the following items to enable sslbump

http_port 9876 ssl-bump cert=/path/squid.pem
# allow all for testing
http_access allow all
# Bumped requests have relative URLs so Squid has to use reverse proxy
# or accelerator code. By default, that code denies direct forwarding.
# The need for this option may disappear in the future.
always_direct allow all

acl broken_sites dstdomain .apple.com .itunes.com
ssl_bump none broken_sites
ssl_bump client-first all

I met a problem after start squid with ssl bump. In /var/log/squid/cache.log

2015/08/12 21:42:13 kid1| /var/lib/ssl_db: (2) No such file or directory
2015/08/12 21:42:13 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".

Then I did

/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

Then restart squid

sudo service squid start

Enable sslbump for certain domains

acl ssl_bum_sites dstdomain .immomo.com dev.hawkguide.com
ssl_bump allow ssl_bum_sites
ssl_bump deny all

Allow untrusted sites

acl BrokenButTrustedServers dstdomain dev.hawkguide.com
sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all

squid redirect/rewrite

see http://www.powershelladmin.com/wiki/Linux_squid_proxy_url_rewriting_or_redirection