Squid 3.4.x for with transparent ssl proxying/support for Debian Wheezy.

I needed  a variant of Squid which supported transparent SSL interception (i.e via iptables redirection) so I could log outgoing HTTPS requests without the client being aware.

The stock wheezy variant doesn’t support SSL (see : Debian Bug Report).

Even after recompiling Wheezy’s squid3 it didn’t seem to work (perhaps my stupidity) so I ended up moving to the latest-and-greatest squid (3.4.9 at the time of writing) and getting that to work. Brief notes follow.

Building overview

  1. apt-get source squid3
  2. wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.9.tar.gz
  3. cp squid-3.4.9.tar.gz squid3_3.4.9.orig.tar.gz to keep Debian’s build tools happy.
  4. tar -zxf squid-3.4.9.tar.gz
  5. Copy the debian/ directory out of the ‘official’ squid3 package (probably: squid3-3.1.20) and chuck it into your new variant (cp -a squid-3-3.1.20/debian squid-3.4.7/ )
  6. Edit debian/rules and add in –enable-ssl and –enable-ssl-crtd and –disable-arch-native (else the resultant binary probably won’t run on any other architecture/virtual machine). In my case I also removed a couple of directives (e.g. squid have removed –enable-auth=”…” and replaced it with just –enable-auth etc). See the files linked at the bottom of this post.
  7. Edit debian/changelog, add a new section at the top with a bumped version number and fix with your email address/name etc.
  8. Try and build it with something like : dpkg-buildpackage -rfakeroot or debuild -us -uc -b and enter your GPG key password when prompted.
    1. When this fails, fix debian/debian.install and/or debian/rules … 🙂

There is a binary .deb linked to from the bottom of this post, which may work/help/save you some time doing the above. But you probably shouldn’t trust me.

Install/Configuration

Install on the remote server. (dpkg -i squid3-*.deb).

You’ll need to generate a certificate for Squid to use when it intercepts SSL requests.

This certificate will be added to the client computer’s trusted certificate store/library/thing (i.e /usr/local/share/ca-certificates) – so as to hopefully stop clients receiving unknown certificate authority ssl error messages all the time.

  • openssl genrsa -out squid.key 2048
  • openssl req -new -key squid.key -out squid.csr    — I used the proxies IP address as it’s CN
  • openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
  • cat squid.key squid.crt > squid.pem
  • scp squid.crt root@client_machine:/usr/local/share/ca-certificates/
  • ssh root@client_machine /usr/sbin/update-ca-certificates

 

Your squid configuration will probably need to be similar to :

  • cat squid.conf.dpkg-dist | grep -v ^# | grep -v ^$ | sponge squid.conf
  • the .dpkg-dist file may not exist — use squid.conf if not.

And then containing the following stuff :

.....
# stop squid taking forever to restart.
shutdown_lifetime 3
# for clients with a configured proxy.
http_port 3128
# for clients who are sent here via iptables ... REDIRECT.
http_port 3129 intercept
# for https clients who are sent here via iptables ... REDIRECT
https_port 3130 intercept ssl-bump  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/squid.pem

always_direct allow all
ssl_bump none localhost
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

When you start squid, you’ll notice the ‘ssl_crtd‘ binary running. You will probably need to initialise it’s directories using :

/usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db/
chown -R proxy /var/lib/ssl_db

If stuff is running properly, you’ll see certificates appear in /var/lib/ssl_db/certs as outgoing https requests are made.

So … for any clients with a http_proxy already set, they can use port gateway:3128.

For clients with no proxy setting, iptables will forward packets into gateway:3129 and gateway:3130 – using the rules below.

Help Squid Hates me!

Add :

debug_options ALL,2

Into /etc/squid3/squid.conf – and restart it.

Once this is done, you should see loads of stuff appearing in /var/log/squid3/cache.log — which may help you.

 

Iptables rules

Iptables rules like :

/sbin/iptables -t nat -A PREROUTING -p TCP -s 172.30.0.0/16 --dport 80 -j REDIRECT --to-port 3129
/sbin/iptables -t nat -A PREROUTING -p TCP -s 172.30.0.0/16 --dport 443 -j REDIRECT --to-port 3130

(Where traffic is assumed to originate on 172.30.x.y, and on this case, Squid is running on the gateway node).

Possibly useful files


Posted

in

, ,

by

Comments

18 responses to “Squid 3.4.x for with transparent ssl proxying/support for Debian Wheezy.”

  1. Aytekin Aygün Avatar

    Useful documents…
    Thank you

  2. Jelle Hillen Avatar

    Missing a deb package for squid3-common, but otherwise very useful.

    Thanks.

  3. David Goodwin Avatar

    Well spotted. The .deb is in the directory though … I just forgot to link to it… (now fixed).

    thanks

  4. Ganesh Waghmode Avatar
    Ganesh Waghmode

    I am trying to use Squid proxy to allow the google apps and block the consumer gmail account in my organization through ssl-bump and interception feature of Squid proxy. I am using Ubuntu 14.04. But, I am unable to achieve what I want. If you can help me kindly read my question on SO for more details.
    http://serverfault.com/questions/647892/allow-google-apps-and-block-consumer-google-accounts-using-squid-proxy

  5. pamchi Avatar

    hello, just a comment on this line:
    Copy the debian/ directory out of the ‘official’ squid3 package (probably: squid3-3.1.20) and chuck it into your new variant (cp -a squid-3-3.1.20/debian squid-3.4.7/

    Acording to your first line i assume that should be like this (to fit on the 3.4.9 version insteat 3.4.7):
    Copy the debian/ directory out of the ‘official’ squid3 package (probably: squid3-3.1.20) and chuck it into your new variant (cp -a squid-3-3.1.20/debian squid-3.4.9/

  6. Minh Duc Avatar
    Minh Duc

    Is it possible to combine SSL intercept with proxy-auth ?

    As squid mentioned, there’re 4 options for proxy-auth:
    + Basic – been around since the very beginning
    + NTLM – Microsoft’s first attempt at single-sign-on for LAN environments
    + Digest – w3c’s attempt at having a secure authentication system
    + Negotiate (aka SPNEGO) – Microsoft’s second attempt at single-sign-on.
    OAuth – IETF attempt at single-sign-on

    I have tried your tutorial with proxy auth ( NTML + Keberos) but not success and see the error:

    kid1| NOTICE: Authentication not applicable on intercepted requests.
    kid1| NOTICE: Authentication not applicable on intercepted requests.
    kid1| NOTICE: Authentication not applicable on intercepted requests.

    Thank you,
    Regards,
    Minh Duc

  7. Al Avatar
    Al

    Great article and very helpful. Unfortunately I am having problems at the end … and get this.
    dh_install -psquid3-common --sourcedir=/usr/src/squid3-3.5.3/debian/tmp
    cp: cannot stat `/usr/src/squid3-3.5.3/debian/tmp/usr/share/squid3/mime.conf': No such file or directory
    dh_install: cp -a /usr/src/squid3-3.5.3/debian/tmp/usr/share/squid3/mime.conf debian/squid3-common//usr/share/squid3/ returned exit code 1
    make: *** [binary-install/squid3-common] Error 2
    dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2
    debuild: fatal error at line 1357:
    dpkg-buildpackage -rfakeroot -D -us -uc -b failed

  8. David Goodwin Avatar

    I’d try : touch /path/to/squid3/mime.conf and see if that fixes it….

  9. Mark007 Avatar
    Mark007

    Good article – Many thanks. saved me having to build.
    Just a bit of mucking around with dependencies with apt-get getting confused.
    Much needed .debs after a normal routine upgrade nucked my SSL squid.. with a repository version with no ssl….

  10. Leandro Segovia Avatar
    Leandro Segovia

    hi
    this configuration is fully transparent https interception
    or i need install certificate on to all pc clients

    thanks

  11. David Goodwin Avatar

    You’ll need to generate a certificate for Squid to use when it intercepts SSL requests.

    This certificate will be added to the client computer’s trusted certificate store/library/thing (i.e /usr/local/share/ca-certificates) – so as to hopefully stop clients receiving unknown certificate authority ssl error messages all the time.

    You have to get a new trusted root certificate onto the client device, otherwise they will quite rightly spot that their requests are being returned with a non-trusted certificate.

  12. leandro segovia Avatar
    leandro segovia

    hi
    its possible configure squid https intercept with this option
    example i have 20 machines
    10 machinnes have installer certificate but 10 machinnes no
    its possible squid or iptables identify who have squid certificate
    if not have the certificate bypass automatly to the web page
    if have a ca certifocate squid intercept

    thanks

  13. mmm Avatar
    mmm

    Nice tutorial, I was able to setup my squid according to it (Debian Jessie).
    However I have one issue with my Android devices, in order to import the CA cert into Android, I’d have to setup PIN or gesture to unlock the phone, but I don’t want to enforce the users to do it. Is there a workaround?

  14. Artem Iarmoliuk Avatar
    Artem Iarmoliuk

    To anyone who got “usr/share/squid3/mime.conf’: No such file or directory” error.
    For later releases this file is located in another directory. For me it was “debian/tmp/etc/squid3/mime.conf”

    Just change file location in debian/squid3-common.install to proper one, and build should be successful.

  15. d1cor Avatar
    d1cor

    Excellent tutorial! It has been usefull for me. Thanks!

  16. Zubair Avatar
    Zubair

    Does squid 3.5.26 can be configured transparently on windows server 2012 r2 ?
    i research a lot for transparent configuration on windows server 2012 r2. but didnt find even a single blog or article.
    any help will be appreciated

Leave a Reply

Your email address will not be published. Required fields are marked *