Installing and configuring Squid Proxy for SSL (Bumping or Peek-n-splice)
Introduction:
Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU
Preparing the environment:
Before installing squid we start by preparing the installation environment and making sure that the system is up to date. We will be installing squid version 4.11 form the diladele git repository and we start with the following commands:
# add diladele apt key
wget -qO - http://packages.diladele.com/diladele_pub.asc | sudo apt-key add -
# add repository to the sources list
echo "deb http://squid411.diladele.com/ubuntu/ bionic main" > /etc/apt/sources.list.d/squid411.diladele.com.listThen we proceed to update the system and the system files to complete the preparation process.
$ sudo apt-get update && sudo apt-get upgrade
Installing squid:
type the following commands to install squid on your Ubuntu machine. Note that this works properly on Ubuntu 18.04 LTS.
# install
apt-get install squid-common
apt-get install squid
apt-get install squidclientIn order to configure SSL bumping with squid, the installation package needs to be configured with the following parameters enabled.
— with-openssl
— enable-ssl
— enable-ssl-crtd
Hence installing from the repository above permits the automatic configuration of this parameters by default. Next step is to check that the installation was successful using: # squid -v
At this point you have successfully installed squid and can move on to the next step of generating a self signed certificate that would be used for SSL with third party browsers.
Generating Certificate Authority (CA) SSL Certificate:
We will be using OpenSSL for the generation of a Certificate Authority to sign certificates and also for the creation of new certificates to be used.
We will use the Perl script CA.pl to simplify the CA and certificate (.pem) creation process. First start with the creation of the CA
$ /usr/lib/ssl/misc/CA.pl -newca
Make sure you fill in all the information requested especially the common name. Next command is to create a new certificate as shown below.
$ /usr/lib/ssl/misc/CA.pl -newreq
Also ensure that you fill in all the information especially the common name. At this point you have created a CA and a certificate. So the next step is to sign the certificates that have just been created. Use the following command to sign the new certificates created.
$ /usr/lib/ssl/misc/CA.pl -sign
Now every certificate that is crated will be signed by the CA created above.
[Alternatively]
If you do not with to go through this method of creating a certificate and you wish to generate a dynamic self-signed certificate, then you can do this using the following commands:
# Generating the certificate and key
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.pem -out squid-ca-cert.pem# Copying the key and cert to the same file.
cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem
Now that the keys have been created, proceed to create a trusted certificate version that can be imported into the browser:
#first method
openssl x509 -in newcert.pem -outform DER -out squidTrusted.der#alternate method (self-signed)
openssl x509 -in squid-ca-cert-key.pem -outform DER -out squidTrusted.der
Now move the certificates created above (with either method) to a location where squid can read and have access to it.
# create a directory
sudo mkdir /etc/squid/certs#move certificate to the directory
sudo mv newcert.pem /etc/squid/certs or
sudo mv squid-ca-cert-key.pem /etc/squid/certs/# change ownership so that squid can access the certificate
sudo chown proxy:proxy -R /etc/squid/certs# modify certificate permissions (for self-signed certificate)
chmod 700 squid-ca-cert-key.pem
Next step is to create a folder for future certificates that would be used with the system. Use the following command to create the folder and setup the SSL database file.
#create the directory
mkdir -p /var/lib/squid#create the SSL database to be used by squid
/usr/lib/squid/ssl_crtd -c -s /var/lib/squid/ssl_db# Changing database permission so squid can access it.
chown -R proxy:proxy /var/lib/squid
Configuring squid to peek-n-splice SSL connections
Configuring SSL bumping takes place at this stage. All of the configuration is done in the squid.conf file found in /etc/squid/ directory.
Use any text editor you are comfortable using like nano, vim or gedit. Note that the configuration file is very lengthy (because it is a combination of the man pages and the actual configuration lines) so it is advised to use a text editor which you can easily navigate.
For this tutorial i will be using the gedit text editor for easy navigation.
While in the gedit text editor, use CTRL+F to open the find box, then find the line that contains http_port 3128 and replace it with:
# add path containing the Certificate Authority
sslproxy_capath /home/sleek/demoCA/# replace http_port 3128 with:
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/certs/newcert.pem key=/etc/squid/certs/newkey.pem capath=/home/sleek/demoCA/[note that all of this replacement is on the same line or multiple lines with \ character]
Then add the following lines just after the lines above or to the end of the file as you wish.
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
Now that the configuration is completed, save the file and test the configuration to ensure that it is correctly done. Test the configuration using:
$ squid -k [check] or [parse]
If this doesn’t return any error then the configuration is done properly.
You can now proceed to restarting the the squid service and enabling it to run at boot time. This can be done with the following commands:
sudo systemctl enable squid
sudo systemctl start squid
sudo systemctl status squid.serviceImporting Certificate into web browser
The next step is to import your certificate into your browser. Launch your Firefox browser (or any browser you are using) and go to the settings menu.
Select preferences => Select the privacy & security tab and scroll down to the end. => Under the Certificated section, click the view certificates button then click on the import button and navigate to your location where your squidTrusted.der (created above) certificate is stored.
Select the checkbox to activate the certificate to trust websites and any other website you wish. Then click on ok to import the certificate.
Then still under preferences settings, scroll down to Network Settings and click on the settings button. Then select the manual proxy option.
Type in your <proxy address> and the port number 3128 and select the check box to enable the manual proxy for FTP and HTTPS connections. Validate with ok and you are good to start using Squid to intercept, peek and splice SSL connections.
The only thing left to do now is to monitor the squid access log and cache log files to see the spliced traffic. This monitor can be done by checking the access.log and cache.log file located in /var/log/squid/
$ nano /var/log/squid/access.log
Thanks for following this tutorial. Hope you enjoyed it.