You are not logged in.

#1 2020-06-28 19:17:39

hleung
Member
Registered: 2011-01-10
Posts: 20
Website

[Solved] Transparent Squid Proxy for HTTPS

Hi,

I've setup an Arch Linux machine as a router, and I want to install a proxy server on it to filter content.  I followed Squid - ArchWiki and managed to set it as a transparent proxy for HTTP traffic with the proper firewall rule redirecting port 80 to 3128 (HTTP proxy port).  It worked flawlessly.  I added "https_port" in my configuration file, generated a certificate, and included another firewall rule redirecting port 443 to 3129 to filter content, but I am unable to connect to the internet at all.

Here's my Squid configuration file /etc/squid/squid.conf

acl localhost src 127.0.0.1
acl localnet src 172.17.100.0/24 # router interface enp1s0 (local network)
acl localnet src 172.18.200.0/24 # router interface enp2s0 (local network)
acl localnet src 192.168.2.25 # router interface wlo1_sta (internet)

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65536
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

acl blockdomains dstdomain .facebook.com
acl blockdomains dstdomain .bjpenn.com
acl blockdomains dstdomain .lachuteperformance.com
http_reply_access deny blockdomains
http_access deny blockdomains CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all

http_port 3127
http_port 3128 intercept
https_port 3129 intercept ssl-bump tls-cert=/etc/squid/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all

shutdown_lifetime 5 seconds

Here are my firewall/iptables rules

iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 443 -j REDIRECT --to-port 3129
iptables -t nat -A PREROUTING -i enp2s0 -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -i enp2s0 -p tcp --dport 443 -j REDIRECT --to-port 3129

iptables -t nat -A POSTROUTING -o wlo1_sta -j MASQUERADE
iptables -A FORWARD -i enp1s0 -o wlo1_sta -j ACCEPT
iptables -A FORWARD -i enp2s0 -o wlo1_sta -j ACCEPT
iptables -A FORWARD -m conntrack --cstate RELATED,ESTABLISHED -j ACCEPT

Here's how I start squid proxy

/usr/lib64/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -m 4MB
squid -z
chown -R proxy:proxy /var/cache/squid/ssl_db
systemctl start squid.service

I've imported the generated myCA.der as indicated in the Squid Arch Wiki in my client Windows machine into the Trusted Root Certification Authorities, but I no longer have access to the internet.  I keep getting the following error in the /var/log/squid/access.log

<client IP address> NONE_ABORTED/200 0 CONNECT <destination IP address>:443 - HIER_NONE/- -

I tried other references as well, but none of them worked for me:
Youtube: Transparent HTTP+HTTPS Proxy with Squid and iptables
A short guide on Squid transparent proxy & SSL bumping

Please advise.

Last edited by hleung (2020-07-01 22:13:08)


Everyone has their own belief, and that belief becomes their own religion.
My bible = "Rapture for the Geeks wink" by Richard Dooling

Offline

#2 2020-07-01 22:12:38

hleung
Member
Registered: 2011-01-10
Posts: 20
Website

Re: [Solved] Transparent Squid Proxy for HTTPS

Hi all,

After trying multiple settings, I finally found a setting that worked from Reddit Squid proxy -a short guide (forward & transparent proxy examples, SSL bumping, links to guides) and thought of sharing it.

/etc/squid/squid.conf
...
# SSL bump instructions
# Define SSL connections steps
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

#ssl_bump peek step1    # <- enabling this breaks it
ssl_bump stare step2
ssl_bump bump step3
# Uncommenting this may also break bumping.
#ssl_bump bump all
...

In the Arch Linux Squid Wiki, the options NO_TLSv1,SINGLE_DH_USE, and SINGLE_ECDH_USE are no longer supported as well.

Have a good day~


Everyone has their own belief, and that belief becomes their own religion.
My bible = "Rapture for the Geeks wink" by Richard Dooling

Offline

Board footer

Powered by FluxBB