[squid-users] squid as transparent ssl proxy

From: Jan Fischbach <jan85f_at_googlemail.com>
Date: Fri, 24 Feb 2012 16:25:16 +0100

Hi Everyone,

I compiled an configured squid in the way to get a transparent ssl
proxy. With the debug flag an looking into the access.log, no errors
or warnings are shown. When intercepting http traffic, everything
works fine but there is trouble with ssl.
On the Client (ipad) - safari tells me that it cant establish a safe
connection - nothing more. the acces.logs shows:

ext/html
1330094808.367 3 172.20.0.113 NONE/400 3563
%BF%18%C6%CC%D5%CB%B5+%C5Eq - NONE/- text/html
1330094809.922 8 172.20.0.113 NONE/400 3546 NONE
error:invalid-request - NONE/- text/html
1330094811.938 2 172.20.0.113 NONE/400 3546 NONE
error:invalid-request - NONE/- text/html
1330094813.603 3 172.20.0.113 NONE/400 3552 NONE
error:invalid-request - NONE/- text/html
1330094813.673 2 172.20.0.113 NONE/400 3552 NONE
error:invalid-request - NONE/- text/html
1330094813.744 10 172.20.0.113 NONE/400 3546 NONE
error:invalid-request - NONE/- text/html

here is my config and stuff:

ip_forward =1

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp
dpt:www redir ports 3128
REDIRECT tcp -- anywhere anywhere tcp
dpt:https redir ports 3129

Squid Cache: Version 3.1.19
configure options: '--enable-ssl' '--enable-ssl-crtd'
'--enable-linux-netfilter' --with-squid=/root/squid-3.1.19
--enable-ltdl-convenience

and here the squid.conf

#
# Recommended minimum configuration:
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl SSL method CONNECT
ssl_bump allow all

## allow users to webistes attemping to use certs belonging to other domains
acl BadSite ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BadSite
sslproxy_cert_error deny all

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 172.20.0.0/24 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly
plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost localnet

### MEINE REGELN FÜR TRANSPARENT SSL PROXYING

always_direct allow all
ssl_bump allow all

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# Squid Transparent http listens to port 3128
http_port 172.20.0.79:3128 intercept

http_port 127.0.0.1:3128 intercept
# Squid Transparent SSL https listens to por 3129
http_port 172.20.0.79:3129 intercept ssl-bump
cert=/etc/apache2/ssl/server.crt key=/etc/apache2/ssl/server.key

http_port 127.0.0.1:3129 intercept ssl-bump
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
options=ALL cert=/etc/apache2/ssl/apache.pem

sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /etc/apache2/ssl2 -M 4MB

sslcrtd_children 50

Hope someone can help me.

Best regards,
Jan
Received on Fri Feb 24 2012 - 15:25:23 MST

This archive was generated by hypermail 2.2.0 : Sat Feb 25 2012 - 12:00:04 MST