I needed a variant of Squid which supported transparent SSL interception (i.e via iptables redirection) so I could log outgoing HTTPS requests without the client being aware.
The stock wheezy variant doesn’t support SSL (see : Debian Bug Report).
Even after recompiling Wheezy’s squid3 it didn’t seem to work (perhaps my stupidity) so I ended up moving to the latest-and-greatest squid (3.4.9 at the time of writing) and getting that to work. Brief notes follow.
Building overview
- apt-get source squid3
- wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.9.tar.gz
- cp squid-3.4.9.tar.gz squid3_3.4.9.orig.tar.gz to keep Debian’s build tools happy.
- tar -zxf squid-3.4.9.tar.gz
- Copy the debian/ directory out of the ‘official’ squid3 package (probably: squid3-3.1.20) and chuck it into your new variant (cp -a squid-3-3.1.20/debian squid-3.4.7/ )
- Edit debian/rules and add in –enable-ssl and –enable-ssl-crtd and –disable-arch-native (else the resultant binary probably won’t run on any other architecture/virtual machine). In my case I also removed a couple of directives (e.g. squid have removed –enable-auth=”…” and replaced it with just –enable-auth etc). See the files linked at the bottom of this post.
- Edit debian/changelog, add a new section at the top with a bumped version number and fix with your email address/name etc.
- Try and build it with something like : dpkg-buildpackage -rfakeroot or debuild -us -uc -b and enter your GPG key password when prompted.
- When this fails, fix debian/debian.install and/or debian/rules … 🙂
There is a binary .deb linked to from the bottom of this post, which may work/help/save you some time doing the above. But you probably shouldn’t trust me.
Install/Configuration
Install on the remote server. (dpkg -i squid3-*.deb).
You’ll need to generate a certificate for Squid to use when it intercepts SSL requests.
This certificate will be added to the client computer’s trusted certificate store/library/thing (i.e /usr/local/share/ca-certificates) – so as to hopefully stop clients receiving unknown certificate authority ssl error messages all the time.
- openssl genrsa -out squid.key 2048
- openssl req -new -key squid.key -out squid.csr — I used the proxies IP address as it’s CN
- openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
- cat squid.key squid.crt > squid.pem
- scp squid.crt root@client_machine:/usr/local/share/ca-certificates/
- ssh root@client_machine /usr/sbin/update-ca-certificates
Your squid configuration will probably need to be similar to :
- cat squid.conf.dpkg-dist | grep -v ^# | grep -v ^$ | sponge squid.conf
- the .dpkg-dist file may not exist — use squid.conf if not.
And then containing the following stuff :
..... # stop squid taking forever to restart. shutdown_lifetime 3 # for clients with a configured proxy. http_port 3128 # for clients who are sent here via iptables ... REDIRECT. http_port 3129 intercept # for https clients who are sent here via iptables ... REDIRECT https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/squid.pem always_direct allow all ssl_bump none localhost ssl_bump server-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER
When you start squid, you’ll notice the ‘ssl_crtd‘ binary running. You will probably need to initialise it’s directories using :
/usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db/ chown -R proxy /var/lib/ssl_db
If stuff is running properly, you’ll see certificates appear in /var/lib/ssl_db/certs as outgoing https requests are made.
So … for any clients with a http_proxy already set, they can use port gateway:3128.
For clients with no proxy setting, iptables will forward packets into gateway:3129 and gateway:3130 – using the rules below.
Help Squid Hates me!
Add :
debug_options ALL,2
Into /etc/squid3/squid.conf – and restart it.
Once this is done, you should see loads of stuff appearing in /var/log/squid3/cache.log — which may help you.
Iptables rules
Iptables rules like :
/sbin/iptables -t nat -A PREROUTING -p TCP -s 172.30.0.0/16 --dport 80 -j REDIRECT --to-port 3129 /sbin/iptables -t nat -A PREROUTING -p TCP -s 172.30.0.0/16 --dport 443 -j REDIRECT --to-port 3130
(Where traffic is assumed to originate on 172.30.x.y, and on this case, Squid is running on the gateway node).
Possibly useful files
- squid.conf – Squid config
- squid3_3.4.9_amd64.deb – my build .deb package, might work for you. Might not.
- squid3-comon_3.4.9_all.deb (dependency)
- squid3_3.4.9.debian.tar.gz – ‘debian’ directory, contains ./configure options etc (as above)
- squid3_3.4.9.dsc – various signatures, although my gpg key isn’t uploaded anywhere it’s probably pointless.
Leave a Reply