I needed a variant of Squid which supported transparent SSL interception (i.e via iptables redirection) so I could log outgoing HTTPS requests without the client being aware.
The stock wheezy variant doesn’t support SSL (see : Debian Bug Report).
Even after recompiling Wheezy’s squid3 it didn’t seem to work (perhaps my stupidity) so I ended up moving to the latest-and-greatest squid (3.4.9 at the time of writing) and getting that to work. Brief notes follow.
Building overview
- apt-get source squid3
- wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.9.tar.gz
- cp squid-3.4.9.tar.gz squid3_3.4.9.orig.tar.gz to keep Debian’s build tools happy.
- tar -zxf squid-3.4.9.tar.gz
- Copy the debian/ directory out of the ‘official’ squid3 package (probably: squid3-3.1.20) and chuck it into your new variant (cp -a squid-3-3.1.20/debian squid-3.4.7/ )
- Edit debian/rules and add in –enable-ssl and –enable-ssl-crtd and –disable-arch-native (else the resultant binary probably won’t run on any other architecture/virtual machine). In my case I also removed a couple of directives (e.g. squid have removed –enable-auth=”…” and replaced it with just –enable-auth etc). See the files linked at the bottom of this post.
- Edit debian/changelog, add a new section at the top with a bumped version number and fix with your email address/name etc.
- Try and build it with something like : dpkg-buildpackage -rfakeroot or debuild -us -uc -b and enter your GPG key password when prompted.
- When this fails, fix debian/debian.install and/or debian/rules … 🙂
There is a binary .deb linked to from the bottom of this post, which may work/help/save you some time doing the above. But you probably shouldn’t trust me.
Install/Configuration
Install on the remote server. (dpkg -i squid3-*.deb).
You’ll need to generate a certificate for Squid to use when it intercepts SSL requests.
This certificate will be added to the client computer’s trusted certificate store/library/thing (i.e /usr/local/share/ca-certificates) – so as to hopefully stop clients receiving unknown certificate authority ssl error messages all the time.
- openssl genrsa -out squid.key 2048
- openssl req -new -key squid.key -out squid.csr — I used the proxies IP address as it’s CN
- openssl x509 -req -days 3650 -in squid.csr -signkey squid.key -out squid.crt
- cat squid.key squid.crt > squid.pem
- scp squid.crt root@client_machine:/usr/local/share/ca-certificates/
- ssh root@client_machine /usr/sbin/update-ca-certificates
Your squid configuration will probably need to be similar to :
- cat squid.conf.dpkg-dist | grep -v ^# | grep -v ^$ | sponge squid.conf
- the .dpkg-dist file may not exist — use squid.conf if not.
And then containing the following stuff :
..... # stop squid taking forever to restart. shutdown_lifetime 3 # for clients with a configured proxy. http_port 3128 # for clients who are sent here via iptables ... REDIRECT. http_port 3129 intercept # for https clients who are sent here via iptables ... REDIRECT https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/ssl/squid.pem always_direct allow all ssl_bump none localhost ssl_bump server-first all sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER
When you start squid, you’ll notice the ‘ssl_crtd‘ binary running. You will probably need to initialise it’s directories using :
/usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db/ chown -R proxy /var/lib/ssl_db
If stuff is running properly, you’ll see certificates appear in /var/lib/ssl_db/certs as outgoing https requests are made.
So … for any clients with a http_proxy already set, they can use port gateway:3128.
For clients with no proxy setting, iptables will forward packets into gateway:3129 and gateway:3130 – using the rules below.
Help Squid Hates me!
Add :
debug_options ALL,2
Into /etc/squid3/squid.conf – and restart it.
Once this is done, you should see loads of stuff appearing in /var/log/squid3/cache.log — which may help you.
Iptables rules
Iptables rules like :
/sbin/iptables -t nat -A PREROUTING -p TCP -s 172.30.0.0/16 --dport 80 -j REDIRECT --to-port 3129 /sbin/iptables -t nat -A PREROUTING -p TCP -s 172.30.0.0/16 --dport 443 -j REDIRECT --to-port 3130
(Where traffic is assumed to originate on 172.30.x.y, and on this case, Squid is running on the gateway node).
Possibly useful files
- squid.conf – Squid config
- squid3_3.4.9_amd64.deb – my build .deb package, might work for you. Might not.
- squid3-comon_3.4.9_all.deb (dependency)
- squid3_3.4.9.debian.tar.gz – ‘debian’ directory, contains ./configure options etc (as above)
- squid3_3.4.9.dsc – various signatures, although my gpg key isn’t uploaded anywhere it’s probably pointless.
Transparent squid proxy with ssl interception etc on debian wheezy http://t.co/dLL2J347bJ #documentation #Debian #squid #linux
Useful documents…
Thank you
Missing a deb package for squid3-common, but otherwise very useful.
Thanks.
Well spotted. The .deb is in the directory though … I just forgot to link to it… (now fixed).
thanks
I am trying to use Squid proxy to allow the google apps and block the consumer gmail account in my organization through ssl-bump and interception feature of Squid proxy. I am using Ubuntu 14.04. But, I am unable to achieve what I want. If you can help me kindly read my question on SO for more details.
http://serverfault.com/questions/647892/allow-google-apps-and-block-consumer-google-accounts-using-squid-proxy
hello, just a comment on this line:
Copy the debian/ directory out of the ‘official’ squid3 package (probably: squid3-3.1.20) and chuck it into your new variant (cp -a squid-3-3.1.20/debian squid-3.4.7/
Acording to your first line i assume that should be like this (to fit on the 3.4.9 version insteat 3.4.7):
Copy the debian/ directory out of the ‘official’ squid3 package (probably: squid3-3.1.20) and chuck it into your new variant (cp -a squid-3-3.1.20/debian squid-3.4.9/
Is it possible to combine SSL intercept with proxy-auth ?
As squid mentioned, there’re 4 options for proxy-auth:
+ Basic – been around since the very beginning
+ NTLM – Microsoft’s first attempt at single-sign-on for LAN environments
+ Digest – w3c’s attempt at having a secure authentication system
+ Negotiate (aka SPNEGO) – Microsoft’s second attempt at single-sign-on.
OAuth – IETF attempt at single-sign-on
I have tried your tutorial with proxy auth ( NTML + Keberos) but not success and see the error:
kid1| NOTICE: Authentication not applicable on intercepted requests.
kid1| NOTICE: Authentication not applicable on intercepted requests.
kid1| NOTICE: Authentication not applicable on intercepted requests.
Thank you,
Regards,
Minh Duc
Great article and very helpful. Unfortunately I am having problems at the end … and get this.
dh_install -psquid3-common --sourcedir=/usr/src/squid3-3.5.3/debian/tmp
cp: cannot stat `/usr/src/squid3-3.5.3/debian/tmp/usr/share/squid3/mime.conf': No such file or directory
dh_install: cp -a /usr/src/squid3-3.5.3/debian/tmp/usr/share/squid3/mime.conf debian/squid3-common//usr/share/squid3/ returned exit code 1
make: *** [binary-install/squid3-common] Error 2
dpkg-buildpackage: error: fakeroot debian/rules binary gave error exit status 2
debuild: fatal error at line 1357:
dpkg-buildpackage -rfakeroot -D -us -uc -b failed
I’d try : touch /path/to/squid3/mime.conf and see if that fixes it….
Good article – Many thanks. saved me having to build.
Just a bit of mucking around with dependencies with apt-get getting confused.
Much needed .debs after a normal routine upgrade nucked my SSL squid.. with a repository version with no ssl….
hi
this configuration is fully transparent https interception
or i need install certificate on to all pc clients
thanks
You have to get a new trusted root certificate onto the client device, otherwise they will quite rightly spot that their requests are being returned with a non-trusted certificate.
hi
its possible configure squid https intercept with this option
example i have 20 machines
10 machinnes have installer certificate but 10 machinnes no
its possible squid or iptables identify who have squid certificate
if not have the certificate bypass automatly to the web page
if have a ca certifocate squid intercept
thanks
Nice tutorial, I was able to setup my squid according to it (Debian Jessie).
However I have one issue with my Android devices, in order to import the CA cert into Android, I’d have to setup PIN or gesture to unlock the phone, but I don’t want to enforce the users to do it. Is there a workaround?
To anyone who got “usr/share/squid3/mime.conf’: No such file or directory” error.
For later releases this file is located in another directory. For me it was “debian/tmp/etc/squid3/mime.conf”
Just change file location in debian/squid3-common.install to proper one, and build should be successful.
Excellent tutorial! It has been usefull for me. Thanks!
Does squid 3.5.26 can be configured transparently on windows server 2012 r2 ?
i research a lot for transparent configuration on windows server 2012 r2. but didnt find even a single blog or article.
any help will be appreciated