I needed a variant of Squid which supported transparent SSL interception (i.e via iptables redirection) so I could log outgoing HTTPS requests without the client being aware.
The stock wheezy variant doesn’t support SSL (see : Debian Bug Report).
Even after recompiling Wheezy’s squid3 it didn’t seem to work (perhaps my stupidity) so I ended up moving to the latest-and-greatest squid (3.4.9 at the time of writing) and getting that to work. Brief notes follow.Building overview
- apt-get source squid3
- wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.9.tar.gz
- cp squid-3.4.9.tar.gz squid3_3.4.9.orig.tar.gz to keep Debian’s build tools happy.
- tar -zxf squid-3.4.9.tar.gz
- Copy the debian/ directory out of the ‘official’ squid3 package (probably: squid3-3.1.20) and chuck it into your new variant (cp -a squid-3-3.1.20/debian squid-3.4.7/ )
- Edit debian/rules and add in –enable-ssl and –enable-ssl-crtd and –disable-arch-native (else the resultant binary probably won’t run on any other architecture/virtual machine). In my case I also removed a couple of directives (e.g. squid have removed –enable-auth=”…” and replaced it with just –enable-auth etc). See the files linked at the bottom of this post.
- Edit debian/changelog, add a new section at the top with a bumped version number and fix with your email address/name etc.
- Try and build it with something like : dpkg-buildpackage -rfakeroot or debuild -us -uc -b and enter your GPG key password when prompted.
- When this fails, fix debian/debian.install and/or debian/rules …
There is a binary .deb linked to from the bottom of this post, which may work/help/save you some time doing the above. But you probably shouldn’t trust me.Install/Configuration
Install on the remote server. (dpkg -i squid3-*.deb).
You’ll need to generate a certificate for Squid to use when it intercepts SSL requests.
This certificate will be added to the client computer’s trusted certificate store/library/thing (i.e /usr/local/share/ca-certificates) – so as to hopefully stop clients receiving unknown certificate authority ssl error messages all the time.
- openssl genrsa -out squid.key 2048
- openssl req -new -key squid.key -out squid.csr — I used the proxies IP address as it’s CN
- openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
- cat squid.key squid.crt > squid.pem
- scp squid.crt root@client_machine:/usr/local/share/ca-certificates/
- ssh root@client_machine /usr/sbin/update-ca-certificates
Your squid configuration will probably need to be similar to :
- cat squid.conf.dpkg-dist | grep -v ^# | grep -v ^$ | sponge squid.conf
- the .dpkg-dist file may not exist — use squid.conf if not.
And then containing the following stuff :..... # stop squid taking forever to restart. shutdown_lifetime 3 # for clients with a configured proxy. http_port 3128 # for clients who are sent here via iptables ... REDIRECT. http_port 3129 intercept # for https clients who are sent here via iptables ... REDIRECT https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/squid.pem always_direct allow all ssl_bump none localhost ssl_bump server-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER
When you start squid, you’ll notice the ‘ssl_crtd‘ binary running. You will probably need to initialise it’s directories using :/usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db/ chown -R proxy /var/lib/ssl_db
If stuff is running properly, you’ll see certificates appear in /var/lib/ssl_db/certs as outgoing https requests are made.
So … for any clients with a http_proxy already set, they can use port gateway:3128.
For clients with no proxy setting, iptables will forward packets into gateway:3129 and gateway:3130 – using the rules below.Help Squid Hates me!
Into /etc/squid3/squid.conf – and restart it.
Once this is done, you should see loads of stuff appearing in /var/log/squid3/cache.log — which may help you.
Iptables rules like :/sbin/iptables -t nat -A PREROUTING -p TCP -s 172.30.0.0/16 --dport 80 -j REDIRECT --to-port 3129 /sbin/iptables -t nat -A PREROUTING -p TCP -s 172.30.0.0/16 --dport 443 -j REDIRECT --to-port 3130
(Where traffic is assumed to originate on 172.30.x.y, and on this case, Squid is running on the gateway node).Possibly useful files
- squid.conf – Squid config
- squid3_3.4.9_amd64.deb – my build .deb package, might work for you. Might not.
- squid3_3.4.9.debian.tar.gz – ‘debian’ directory, contains ./configure options etc (as above)
- squid3_3.4.9.dsc – various signatures, although my gpg key isn’t uploaded anywhere it’s probably pointless.
Arbitrary tweets made by TheGingerDog up to 23 November 2014
- #FightForFinnan #DLA Bromsgrove, West Midlands 2014/11/22
- Bromsgrove men’s 3xi hockey 2:1 vs Solihull blossom field. Great win – 8 wins in a row (Cc @BromsgroveHC ) West Midlands, England 2014/11/22
RT The best tackle in the history of football…
- RT Barbie just got cool • The internet fixes Barbie’s ‘I Can Be a Comp Engineer’ pic book www.theverge.com/2014/11/19/7245461/feminist-barbie-hacker-engineer-fix
- RT Make your own “Barbie is a computer engineer” panels here: https://computer-engineer-barbie.herokuapp.com/new# We just made one
- Today is full of ‘sed error’ emails. #debian update to php5-common / sessionclean cron errors: sed: invalid option z https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770105 2014/11/19
- RT EFF: Let’s Encrypt lwn.net/Articles/621676/rss 2014/11/18
- RT How far we’ve come. Truly astonishing.
RT A good reminder to dog walkers,
If you fail to keep your dog on a lead it’s not just the sheep that pay the price… If you fail to keep your dog on a lead it's not just the sheep that pay the price... - embedded picture' alt='RT A good reminder to dog walkers,
If you fail to keep your dog on a lead it's not just the sheep that pay the price... - embedded image ' />
- Ring ring …… Rah rah rah…. reference request … rah rah rah rah #exEmployeeFromAgesAgo #recruitment 2014/11/18
- RT Things I always enjoy finding in the install scripts of “security” software: “sudo chmod 777 …”, “wget http://…”, a command with a typo. 2014/11/17
RT This Dalek could do the UK a huge favour.
All together now. EXTERMINATE!
All together now. EXTERMINATE! - embedded picture' alt='RT This Dalek could do the UK a huge favour.
All together now. EXTERMINATE! - embedded image ' />
- RT This week’s cake: Pineapple Upside Down Cake. Told the kids they have to stand on head to eat it @SatScenes