On 9/05/2013 12:27 a.m., Mr J Potter wrote:
Works for me!
A few notes for anyone who needs them below.
And some extra notes in case anyone tries to use them ;-)
Thanks again everyone.
Jim
UK
Issues/gotchas:
It doesn't work behind parent proxies.
Well, it requires the parent proxy to be SSL-enabled as well.
It works with NTLM and ident
You need your own certificate authority on all clients.
To build squid3.2 on debian 7:
dependencies: install everything so you can build squid3.1 from source
get squid 3.2 source and build with:
./configure \
--prefix=/srv/squid32 \
--sysconfdir=/srv/squid32/conf \
--localstatedir=/srv/squid32/var \
--enable-auth \
--enable-auth-ntlm="SSPI,smb_lm" \
--enable-ssl \
--enable-ssl-crtd \
--enable-icap-client
Or better grab the 3.3 source package from Sid/Unstable repositories.
Add the SSL options above to debian/rules and build. You will also need
to install the libssl-dev package for those new options to work.
The 3.3 sources will require some adjustments to the rest of these notes
as follows...
Follow instructions on creating a CA from:
http://www.mydlp.com/how-to-configure-squid-3-2-ssl-bumping-dynamic-ssl-certificate-generation/
Here's my config
cache_effective_user proxy
#cache_peer caffreys.bristol-cyps.org.uk parent 3128 3130 default
cache_peer courage.bristol-cyps.org.uk parent 3128 3130 default
#no-delay
#no-query no-digest no-netdb-exchange
## default
#cache_peer_access caffreys.bristol-cyps.org.uk allow all
cache_peer_access courage.bristol-cyps.org.uk allow all
forwarded_for off
url_rewrite_program /usr/bin/squidGuard -c /etc/squid/squidGuard.conf
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 20 startup=0 idle=1
#acl authdUsers proxy_auth REQUIRED
acl authdUsers ident REQUIRED
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines
acl HTTPS proto HTTPS
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
## HTTPS busting bit!!!
ssl_bump allow all
You probably want to adjust this as you go to add exceptions as you find
sites which do not work with bumping or non-HTTPS traffic using CONNECT.
NOTE: with 3.3 sources you can use server-first instead of "allow" for a
more user-friendly bump.
sslproxy_cert_error allow all
NOTE: using "allow all" with sslproxy_cert_error enables any hijacked
SSL site to deliver content to your users without validation getting in
the way and doing such things as warning them (or you) about the hijack.
This is a very *BAD* idea to be this broad even with the 3.2 configuration.
PS. The 3.3 releases server-first feature prevents it being necessary
almost all of the time, and has some built-in defaults for silencing the
"harmless" errors.
# Or may be deny all according to your company policy
# sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
This is pretty much the same as "allow all" on cert errors. If you find
yourself needing this *at all*, then what you actually need to do is a)
update your ca-certificates package, that may involve adding the
"failing" servers CA manually to openssl library configuration. see
openssl documentation for more.
sslcrtd_program /srv/squid32/libexec/ssl_crtd -s
/srv/squid32/var/lib/ssl_db -M 4MB
sslcrtd_children 5
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow authdUsers
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access allow all
NOTE: read the above comment.
always_direct allow HTTPS
NOTE: the above line disables using the cache_peer for any traffic.
Squid-3.2 to 3.4 (at least) do not support wrapping peer requests in
CONNECT so it s a good idea generally, but if you do trust the peer
proxy AND the pathway between proxies is secured AND the peer is
SSL-enabled it is reasonable to let the bumped requests through to it.
never_direct allow all
#emulate_httpd_log on
strip_query_terms off
#log_fqdn on
logformat squid %ts.%03tu %6tr %>A %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a %mt
Please dont re-define the builtin logformat "squid". Use the one
provided or a different name.
PS. the documented format for "squid" is just an approximation using the
codes available. The real native squid format has slightly different
handling of some fields than the custom codes use.
dns_nameservers 10.15.244.8 10.15.244.13
# Squid normally listens to port 3128
#http_port 3128
http_port 3128 ssl-bump generate-host-certificates=on
dynamic_cert_mem_cache_size=4MB key=/srv/squid32/ssl/private.pem
cert=/srv/squid32/ssl/public.pem
icp_port 3130
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /srv/squid32/var/cache/squid 3000 16 256
# Leave coredumps in the first cache dir
coredump_dir /srv/squid32/var/cache/squid
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
And the below lines do nothing at all because of "http_access allow all"
up above. It would be a good idea to move them back up above the CONNECT
rule so these security checks have a chance of working as intended.
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
Amos
