Using Squid to Proxy SSL (SSL Bumping) sites in Amazon Linux 2
Using Squid to Proxy SSL (SSL Bumping) sites in Amazon Linux 2
It is recommended to configure SSL Bumping in the Squid service to handle encrypted connections. If SSL Bumping is not configured, the proxy server cannot intervene in the process of establishing an encrypted connection.
SSL Bumping requires an SSL certificate and a private key in PEM format.
- Go to the tmp folder. To do so, execute the command:
mkdir /tmp/ssl_cert1
cd /tmp/ssl_cert1
- Create a self-signed SSL certificate. To do so, execute the command:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.key -out squid-ca-cert.crt
You will be prompted to fill in the fields of the self-signed SSL certificate.
- Please fill in the fields of the self-signed SSL certificate.
The certificate file squid-ca-cert.crt and private key file squid-ca-key.key will be created in PEM format.
- Convert the certificate file into a trusted certificate in DER format so that it can be imported into a browser. To do so, execute the command:
openssl x509 -in squid-ca-cert.crt -outform DER -out squid-dhparam.der
The self-signed SSL certificate will be created.
To configure SSL Bumping in the Squid service: We are working on squid 4
- Make sure that the utilized Squid service supports the necessary options. To do so, execute the command:
squid -v
The
configure options
parameter must contain the--enable-ssl-crtd and --with-openssl
values. Now combine the files:
cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem
Then move the file to a location squid can read:
$ sudo mv squid-ca-cert-key.pem /etc/squid/ssl_cert/
$ sudo chown squid:squid -R /etc/squid/ssl_cert/Generate the settings file for the Diffie-Hellman algorithm. To do so, execute the command:
openssl dhparam -outform PEM -out /etc/squid/ssl_certs/squid-dhparam.pem 2048
4. Configure the permissions for using an SSL certificate file.
chown -R squid:squid /etc/squid/ssl_cert/
chmod 400 /etc/squid/
ssl_cert/*
5. top the Squid service if it is running. To do so, execute the command:
service squid stop
6.
Create a directory for the certificate database and initialize the database. To do so, run the following commands
mkdir -p /var/lib/squid
rm -rf /var/lib/squid/ssl_db
/usr/lib64/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 20MB
chown -R squid:squid /var/lib/squid
7.
In the /etc/squid/squid.conf configuration file, make the following changes:
- Add the following directives to the beginning of the file or before the first http_access directive:
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
Add the following directives to the end of the file
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
sslproxy_cert_error allow all
ssl_bump stare all
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
c. Replace the http_port directive with the following:
http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/ssl_certs/squid-ca-cert.crt tls-key=/etc/squid/ssl_certs/squid-ca-key.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/ssl_certs/squid-dhparam.der
8. Restart the Squid service. To do so, execute the command:
service squid restartTrust the CA:
- Install the ca-certificates package:
yum install ca-certificates
- Enable the dynamic CA configuration feature:
update-ca-trust force-enable
- Add it as a new file to /etc/pki/ca-trust/source/anchors/:
cp squid-ca-cert.crt /etc/pki/ca-trust/source/anchors/
- Use command:
update-ca-trust extract
Test:
curl --proxy http://<squid-host-ip>:3128 --cacert /etc/pki/tls/certs/squid-ca-cert.pem https://google.com
No comments