Squid3 https mitm

From wiki.techunit.org
Jump to: navigation, search

Introduction

Our need was to make a transparent proxy with the availability to intercept https traffic. The client wanted to block connections to social network and other stuff. The problem was that Squid with SquidGuard are not able to do that in transparent mode with default features. So to do that, you have to recompile squid sources to enable this function.
This configuration works with some sites but not the majority. But it's a good start.

Compile Squid package

#Install compilation tools
apt-get install devscripts build-essential fakeroot libssl-dev -y
cd /usr/src
#Download sources
apt-get source squid3 -y
#Install dependencies
apt-get build-dep squid3 -y
cd /usr/src/squid3*
#Add theses lines in the file debian/rules
#"--enable-ssl \" 
#"--enable-ssl-crtd \" 

#compile package
./configure
debuild -us -uc -b

#install packages
cd ..
apt-get install squid-langpack
dpkg -i  squid3_*.deb squid3-common_*.deb

#Create self signed certificate
cd /etc/squid3/
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout ca.key -out ca.crt

SSL Bump configuration

  • Edit /etc/squid3/squid.conf
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/msquid3/ca.key cert=/etc/msquid3/ca.crt

always_direct allow all
ssl_bump allow all
sslproxy_cert_error allow all
# Or
# sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 5
  • Create the directory
SQUIDSSLCRTDDIR=/var/lib/ssl_db/
SSLCRTD=/usr/lib/squid3/ssl_crtd
$SSLCRTD -c -s $SQUIDSSLCRTDDIR
[ -d $SQUIDSSLCRTDDIR ] && chown proxy: -R $SQUIDSSLCRTDDIR
  • Restart Squid
  • Import certificate in your browser
  • You can now make a try

Sources

Elliot
techUnit's cofounder