SSL interception with Squid (MITM)

by manu on 30 novembre 2011

Squid setup

Goal: use squid proxy server and intercept SSL flow.
First you need a squid version that has ssl enabled. in Debian this is not the case. You then have to get sources, modify compiling rules and rebuild a deb file.

cd /usr src
apt-get source squid
apt-get build-dep squid
apt-get build-dep openssh
apt-get build-dep openssl
apt-get install devscripts build-essential fakeroot

Decompress squid archive et locate yourself in its directory.
You have to modify compilation rules to integrade ssl in the squid binary package: « –enable-ssl »

cd squid-xxx
vi debian/rules
./configure
debuild -us -uc -bw

You get several deb file, you must install squidxxx-common and squidxxx

Générer les certificats

openssl genrsa -aes256 -out CA_pvk.pem 1024
openssl req -new -x509 -days 365 -key CA_pvk.pem -out CA_crt.pem
cp CA_pvk.pem CA_pvk.pem.pass
openssl rsa -in CA_pvk.pem -out CA_pvk.pem

Squid configuration

### Squid conf with SSL ###

dns_nameservers 8.8.8.8

debug_options ALL,5
logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S +0000}tl] "%rm %ru HTTP/%rv" %>Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid3/access.log
error_directory /usr/local/Squid/share/errors/French

# parfois necessaire chmod u+s /usr/lib/squid3/pam_auth
auth_param basic program /usr/lib/squid3/pam_auth
auth_param basic children 2
auth_param basic realm Mandataire T E S T
auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320


################################# ACL ################################

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin ?

acl manager proto cache_object
acl localhost src 127.0.0.1
acl localnet src 192.168.45.0/24

acl SSL_ports port 443
acl Safe_ports port 80-90       # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 8443         # https

acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

acl USERS proxy_auth REQUIRED
cache deny QUERY

################################ DIRECT ################################

# obligatoire sinon le flux revient en erreur 503
always_direct allow SSL_Ports

http_access allow manager
http_access allow Safe_ports

http_access allow USERS

ssl_bump allow SSL_ports
ssl_bump deny all

http_access deny all
http_reply_access allow all
icp_access allow all

http_port 3128 sslBump cert=/etc/squid3/cert2/CA_crt.pem key=/etc/squid3/cert2/CA_pvk.pem

visible_hostname vnet2.naze.mine.nu
forwarded_for on
cachemgr_passwd MonPass server_list
cachemgr_passwd MonPass shutdown
coredump_dir /var/spool/squid3
error_directory /usr/share/squid3/errors/fr
cache_effective_user proxy
cache_effective_group proxy
store_avg_object_size 100 MB

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: