Jump to Navigation

David Goodwin

Subscribe to David Goodwin feed
Linux, PHP, running, geeky stuff, Bromsgrove and other bits
Updated: 12 min 53 sec ago

Squid 3.4.x for with transparent ssl proxying/support for Debian Wheezy.

Wed, 26/11/2014 - 17:28

I needed  a variant of Squid which supported transparent SSL interception (i.e via iptables redirection) so I could log outgoing HTTPS requests without the client being aware.

The stock wheezy variant doesn’t support SSL (see : Debian Bug Report).

Even after recompiling Wheezy’s squid3 it didn’t seem to work (perhaps my stupidity) so I ended up moving to the latest-and-greatest squid (3.4.9 at the time of writing) and getting that to work. Brief notes follow.

Building overview
  1. apt-get source squid3
  2. wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.9.tar.gz
  3. cp squid-3.4.9.tar.gz squid3_3.4.9.orig.tar.gz to keep Debian’s build tools happy.
  4. tar -zxf squid-3.4.9.tar.gz
  5. Copy the debian/ directory out of the ‘official’ squid3 package (probably: squid3-3.1.20) and chuck it into your new variant (cp -a squid-3-3.1.20/debian squid-3.4.7/ )
  6. Edit debian/rules and add in –enable-ssl and –enable-ssl-crtd and –disable-arch-native (else the resultant binary probably won’t run on any other architecture/virtual machine). In my case I also removed a couple of directives (e.g. squid have removed –enable-auth=”…” and replaced it with just –enable-auth etc). See the files linked at the bottom of this post.
  7. Edit debian/changelog, add a new section at the top with a bumped version number and fix with your email address/name etc.
  8. Try and build it with something like : dpkg-buildpackage -rfakeroot or debuild -us -uc -b and enter your GPG key password when prompted.
    1. When this fails, fix debian/debian.install and/or debian/rules …

There is a binary .deb linked to from the bottom of this post, which may work/help/save you some time doing the above. But you probably shouldn’t trust me.

Install/Configuration

Install on the remote server. (dpkg -i squid3-*.deb).

You’ll need to generate a certificate for Squid to use when it intercepts SSL requests.

This certificate will be added to the client computer’s trusted certificate store/library/thing (i.e /usr/local/share/ca-certificates) – so as to hopefully stop clients receiving unknown certificate authority ssl error messages all the time.

  • openssl genrsa -out squid.key 2048
  • openssl req -new -key squid.key -out squid.csr    — I used the proxies IP address as it’s CN
  • openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
  • cat squid.key squid.crt > squid.pem
  • scp squid.crt root@client_machine:/usr/local/share/ca-certificates/
  • ssh root@client_machine /usr/sbin/update-ca-certificates

 

Your squid configuration will probably need to be similar to :

  • cat squid.conf.dpkg-dist | grep -v ^# | grep -v ^$ | sponge squid.conf
  • the .dpkg-dist file may not exist — use squid.conf if not.

And then containing the following stuff :

..... # stop squid taking forever to restart. shutdown_lifetime 3 # for clients with a configured proxy. http_port 3128 # for clients who are sent here via iptables ... REDIRECT. http_port 3129 intercept # for https clients who are sent here via iptables ... REDIRECT https_port 3130 intercept ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/squid.pem always_direct allow all ssl_bump none localhost ssl_bump server-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER

When you start squid, you’ll notice the ‘ssl_crtd‘ binary running. You will probably need to initialise it’s directories using :

/usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db/ chown -R proxy /var/lib/ssl_db

If stuff is running properly, you’ll see certificates appear in /var/lib/ssl_db/certs as outgoing https requests are made.

So … for any clients with a http_proxy already set, they can use port gateway:3128.

For clients with no proxy setting, iptables will forward packets into gateway:3129 and gateway:3130 – using the rules below.

Help Squid Hates me!

Add :

debug_options ALL,2

Into /etc/squid3/squid.conf – and restart it.

Once this is done, you should see loads of stuff appearing in /var/log/squid3/cache.log — which may help you.

 

Iptables rules

Iptables rules like :

/sbin/iptables -t nat -A PREROUTING -p TCP -s 172.30.0.0/16 --dport 80 -j REDIRECT --to-port 3129 /sbin/iptables -t nat -A PREROUTING -p TCP -s 172.30.0.0/16 --dport 443 -j REDIRECT --to-port 3130

(Where traffic is assumed to originate on 172.30.x.y, and on this case, Squid is running on the gateway node).

Possibly useful files

Automated twitter compilation up to 23 November 2014

Sun, 23/11/2014 - 06:00

Arbitrary tweets made by TheGingerDog up to 23 November 2014

  • #FightForFinnan #DLA Bromsgrove, West Midlands 2014/11/22
  • Bromsgrove men’s 3xi hockey 2:1 vs Solihull blossom field. Great win – 8 wins in a row (Cc @BromsgroveHC ) West Midlands, England 2014/11/22
  • RT The best tackle in the history of football…

    https://vine.co/v/OidJ3tuagrt 2014/11/21

  • RT Barbie just got cool • The internet fixes Barbie’s ‘I Can Be a Comp Engineer’ pic book www.theverge.com/2014/11/19/7245461/feminist-barbie-hacker-engineer-fix

    2014/11/20

  • RT Make your own “Barbie is a computer engineer” panels here: https://computer-engineer-barbie.herokuapp.com/new# We just made one

    2014/11/19

  • Today is full of ‘sed error’ emails. #debian update to php5-common / sessionclean cron errors: sed: invalid option z https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770105 2014/11/19
  • RT EFF: Let’s Encrypt lwn.net/Articles/621676/rss 2014/11/18
  • RT How far we’ve come. Truly astonishing.

    2014/11/17

  • RT A good reminder to dog walkers,

    If you fail to keep your dog on a lead it’s not just the sheep that pay the price… If you fail to keep your dog on a lead it's not just the sheep that pay the price... - embedded picture' alt='RT A good reminder to dog walkers,
    If you fail to keep your dog on a lead it's not just the sheep that pay the price... - embedded image ' />

    2014/11/18

  • Ring ring …… Rah rah rah…. reference request … rah rah rah rah #exEmployeeFromAgesAgo #recruitment 2014/11/18
  • RT Things I always enjoy finding in the install scripts of “security” software: “sudo chmod 777 …”, “wget http://…”, a command with a typo. 2014/11/17
  • RT This Dalek could do the UK a huge favour.

    All together now. EXTERMINATE!

    All together now. EXTERMINATE! - embedded picture' alt='RT This Dalek could do the UK a huge favour.

    All together now. EXTERMINATE! - embedded image ' />

    2014/11/14

  • RT This week’s cake: Pineapple Upside Down Cake. Told the kids they have to stand on head to eat it @SatScenes

    2014/11/15



Main menu 2

by Dr. Radut