Hello, I'm contacting you for some help. I need to deploy a secure proxy based on Squid.
I try to use https_port combined with sslbump. I get an error message about a bungled line. The reasons I want to do this : - secure connection between the client browser and the proxy server, so using https_port to do it. encrypted traffic in TLS between the client and the server. - secure login connection. So I need to use https_port to do this. Otherwise If I use http_port, the login/password can be read on the network. - Do ssl inspection of the traffic goeing through the proxy What I have done with success : - https_port without sslbump (traffic between the brownser and the client is encrypted. The login/password can't be read on the network) - ssl-bump on http_port. The ssl inspection is working ... but the connexion between the browser and the proxy service is not encrypted But can't get 'https_port 3129 ssl-bump' working. FATAL: ssl-bump on https_port requires tproxy/intercept which is missing. FATAL: Bungled squid.conf line 49: https_port 3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-cert=/etc/squid/squid-cert.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem Is there something I have misunderstood ? Or doing wrong ? I have generated the certificate and CA with openssl : * openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout squid-cert.pem -out squid-cert.pem * openssl x509 -in squid-cert.pem -outform DER -out squid-CA-browser.der * openssl dhparam -outform PEM -out dhparam.pem 2048 Squid version : 4.4 from EPEL on centos 8 with '--enable-ssl' '--enable-ssl-crtd' '--with-openssl' Squid configuration as follow : =============================================================== auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/htpasswd auth_param basic children 10 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl localnet src 0.0.0.1-0.255.255.255 acl localnet src 192.168.0.0/24 acl SSL_ports port 443 acl Safe_ports port 80 acl Safe_ports port 443 acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports #squid mgmt interface access http_access allow localhost manager http_access deny manager acl auth_users proxy_auth REQUIRED http_access allow auth_users http_access allow localnet http_access allow localhost #squid mgmt interface access http_access allow localhost manager http_access deny manager #http_access deny to_localhost http_access deny all ##Many Tests here : #http_port 3128 ssl-bump cert=/etc/squid/squid-cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB #http_port 3128 ssl-bump tls-cert=/etc/squid/squid-cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB #http_port 3128 ssl-bump cert=/etc/squid/squid-cert.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE #https_port 3129 cert=/etc/squid/squid-cert.pem #https_port 3129 tls-cert=/etc/squid/squid-cert.pem https_port 3129 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB tls-cert=/etc/squid/squid-cert.pem options=SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=/etc/squid/dhparam.pem sslcrtd_program /usr/lib64/squid/security_file_certgen acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all tls_outgoing_options min-version=1.0 cipher=HIGH:MEDIUM:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS #LOGS : deux options. Envoie des logs directe access_log daemon:/var/log/squid/access.log squid #access_log tcp://[ip]:[port] squid access_log syslog:local0.info squid cache_log /var/log/squid/cache.log rotate=10 #Cache cache_mem 512 MB cache_dir ufs /var/spool/squid 10000 16 256 coredump_dir /var/spool/squid =============================================================== Thank you in advance ! Regards,
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users