RE: [squid-users] Re: HTTPS traffic in normal transparent proxy

From: Heinrich Hirtzel <heinrichhirtzel99_at_hotmail.com>
Date: Fri, 2 Nov 2012 14:20:15 +0100

Ok, here are my results:

3.1.2    -> didn't managed to get SSL interception working
3.2.3    -> didn't managed to get SSL interception working
3.3.0.1 -> WORKS!

What I did:
wget http://www.squid-cache.org/Versions/v3/3.3/squid-3.3.0.1.tar.gz
tar xfvz squid-3.3.0.1.tar.gz
./configure --enable-ssl --enable-ssl-crtd
make all
make install
cd /usr/local/squid
mkdir ssl_cert
cd ssl_cert
openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem  -out myCA.pem
openssl x509 -in myCA.pem -outform DER -out myCA.der
/usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db (plz ensure that '/usr/local/squid/var/lib/' exists)
chown -R nobody /usr/local/squid/var/lib/ssl_db

Config (/usr/local/squid/etc/squid.conf):
================================
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem
always_direct allow all
ssl_bump allow all
# the following two options are unsafe and not always necessary:
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

acl our_networks src <yournetwork/cidr>
http_access allow our_networks

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB
sslcrtd_children 5
================================

Ensure that /usr/local/squid/var/logs/access.log and /usr/local/squid/var/logs/cache.log exists (the dirty way: touch & chmod 777).

In short: Use 3.3 beta and you wont have any problems. If I would have knew that before I wouldn't have had to spend 2 days in with Squid 3.1.2 and 3.2.3....

----------------------------------------
> From: heinrichhirtzel99_at_hotmail.com
> To: m.ferlitsch_at_gmail.com; squid-users_at_squid-cache.org
> Date: Fri, 2 Nov 2012 13:36:42 +0100
> Subject: RE: [squid-users] Re: HTTPS traffic in normal transparent proxy
>
>
> > Could you resolve this issue?
> Na, unfortunately not. I've tried some other squid configurations and now I'm getting "Invalid URL: /".
> I'm currently setting up a VM with squid 3.3. (beta), will post the test result here as soon as I have them.
>
> > I thought that ssl-bump was made for this. In my case the security is
> > unimportant. But why it not works?
> If you have an answer to that question please let me know :-)
>
> ----------------------------------------
> > Date: Fri, 2 Nov 2012 05:31:36 -0700
> > From: m.ferlitsch_at_gmail.com
> > To: squid-users_at_squid-cache.org
> > Subject: [squid-users] Re: HTTPS traffic in normal transparent proxy
> >
> > Could you resolve this issue?
> >
> > I only tried it with firefox on clients. But I think that IE has same
> > problems.
> >
> > I thought that ssl-bump was made for this. In my case the security is
> > unimportant. But why it not works?
> >
> >
> >
> > --
> > View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/HTTPS-traffic-in-normal-transparent-proxy-tp1033647p4657205.html
> > Sent from the Squid - Users mailing list archive at Nabble.com.
>
                                               
Received on Fri Nov 02 2012 - 13:20:22 MDT

This archive was generated by hypermail 2.2.0 : Fri Nov 02 2012 - 12:00:03 MDT