Configure SSL Bump on squid 3.3

From Hawk Wiki
Jump to: navigation, search

Squid and ssl bump

yum -y install squid

Generate self signed certificate

openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout squid.pem  -out squid.pem
openssl x509 -in myca.pem -outform DER -out myca.der

Edit squid.conf

sudo vim /etc/squid/squid.conf

Add/Edit the following items to enable sslbump

http_port 9876 ssl-bump cert=/path/squid.pem
# allow all for testing
http_access allow all
# Bumped requests have relative URLs so Squid has to use reverse proxy
# or accelerator code. By default, that code denies direct forwarding.
# The need for this option may disappear in the future.
always_direct allow all

acl broken_sites dstdomain
ssl_bump none broken_sites
ssl_bump client-first all

I met a problem after start squid with ssl bump. In /var/log/squid/cache.log

2015/08/12 21:42:13 kid1| /var/lib/ssl_db: (2) No such file or directory
2015/08/12 21:42:13 kid1| helperOpenServers: Starting 5/32 'ssl_crtd' processes
(ssl_crtd): Uninitialized SSL certificate database directory: /var/lib/ssl_db. To initialize, run "ssl_crtd -c -s /var/lib/ssl_db".

Then I did

/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db

Then restart squid

sudo service squid start

Enable sslbump for certain domains

acl ssl_bum_sites dstdomain
ssl_bump allow ssl_bum_sites
ssl_bump deny all

Allow untrusted sites

acl BrokenButTrustedServers dstdomain
sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all

squid redirect/rewrite