Squid3 https mitm
Our need was to make a transparent proxy with the availability to intercept https traffic. The client wanted to block connections to social network and other stuff. The problem was that Squid with SquidGuard are not able to do that in transparent mode with default features. So to do that, you have to recompile squid sources to enable this function.
This configuration works with some sites but not the majority. But it's a good start.
Compile Squid package
#Install compilation tools apt-get install devscripts build-essential fakeroot libssl-dev -y cd /usr/src #Download sources apt-get source squid3 -y #Install dependencies apt-get build-dep squid3 -y cd /usr/src/squid3* #Add theses lines in the file debian/rules #"--enable-ssl \" #"--enable-ssl-crtd \" #compile package ./configure debuild -us -uc -b #install packages cd .. apt-get install squid-langpack dpkg -i squid3_*.deb squid3-common_*.deb #Create self signed certificate cd /etc/squid3/ openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout ca.key -out ca.crt
SSL Bump configuration
- Edit /etc/squid3/squid.conf
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/msquid3/ca.key cert=/etc/msquid3/ca.crt always_direct allow all ssl_bump allow all sslproxy_cert_error allow all # Or # sslproxy_cert_error deny all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5
- Create the directory
SQUIDSSLCRTDDIR=/var/lib/ssl_db/ SSLCRTD=/usr/lib/squid3/ssl_crtd $SSLCRTD -c -s $SQUIDSSLCRTDDIR [ -d $SQUIDSSLCRTDDIR ] && chown proxy: -R $SQUIDSSLCRTDDIR
- Restart Squid
- Import certificate in your browser
- You can now make a try