Configure squid-3.3 in transparent mode on CentOS 7 with SSL bump

From Notes_Wiki

Home > CentOS > CentOS 6.x > Squid proxy server configuration > Configure squid-3.3 in transparent mode on CentOS 7 with SSL bump

On CentOS 6.5 installing via source requires compiling gcc too. Without using sources ssl_crtd program is not provided with binaries. Thus, best is to avoid using CentOS 6 and consider CentOS 7 for hosting squid with SSL bump features.

This setup assumes two interfaces - One external connected to ISP and one internal for LAN users. For any deviation please change steps appropriately.

On CentOS7 use following steps:

  1. yum -y install squid
  2. Create CA certificate and key for SSL bump
    cd /etc/squid
    mkdir ssl_cert
    chown squid:squid ssl_cert
    chmod 700 ssl_cert
    cd ssl_cert
    openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
  3. Then extract certificate for importing in browsers
    openssl x509 -in myCA.pem -outform DER -out myCA.der
  4. Disable SELinux
    setenforce 0
    Also edit '/etc/sysconfig/selinux' appropriately.
  5. Generate DH parameters in '/etc/squid' folder
    openssl dhparam -outform PEM -out dhparam.pem 2048
  6. Edit '/etc/squid/squid.conf' and use following before 'http_access deny all' rule:
    #Enable quick shutdown
    shutdown_lifetime 0 seconds
    #Enable transparent proxy with SSL bump
    http_port 3126 intercept
    https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
    http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
    #Configure SSL Bump for all sites
    acl broken_sites dstdom_regex icicibank.com hdfcbank.com
    acl monitor_domains dstdom_regex youtube.com facebook.com ytimg.com googlevideo.com ggpht.com
    acl monitor_domains2 dst 216.58.196.110 216.58.199.174 #youtube connect works over IP
    ssl_bump none localhost
    ssl_bump none broken_sites #Avoid bumping financial sites such as banks
    ssl_bump server-first monitor_domains #Bump facebook and youtube
    ssl_bump server-first monitor_domains2 #Since youtube bump fails with just domain also add youtube serverIP
    #Configure hostname
    visible_hostname tproxy.purpletalk.com
    #Configure logging of query terms
    strip_query_terms off #This will allow checking which youtube URLs were visited by user
  7. Initialize SSL certificate directory
    /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
    chown -R squid:squid /var/lib/ssl_db/
  8. After this try starting squid
    systemctl start squid
    systemctl status squid
    systemctl enable squid
    Ignore SELinux warnings related to certificate access to /var/lib/ssl_db
  9. Enable IP forwarding
    sysctl net.ipv4.ip_forward=1
  10. Create file '/etc/sysctl.d/ipv4_forward.conf' with following contents:
    net.ipv4.ip_forward = 1
  11. Labels interface internal and external appropriately by appending 'ZONE=internal' or 'ZONE=external' in '/etc/sysconfig/network-scripts/ifcfg-<interface>' files.
  12. Set zones and verify settings:
    systemctl restart network
    firewall-cmd --get-active-zones
  13. Configure firewall rules for allowing access to incoming ports
    firewall-cmd --zone=internal --add-port=3126/tcp --permanent
    firewall-cmd --zone=internal --add-port=3127/tcp --permanent
    firewall-cmd --zone=internal --add-port=3128/tcp --permanent
  14. Use direct interface of firewalld to configure port redirection. Edit file /etc/firewalld/direct.xml and put
    <?xml version="1.0" encoding="utf-8"?>
    <direct>
    <rule ipv="ipv4" table="nat" chain="PREROUTING" priority="0">-i ens192 -p tcp --dport 80 -j REDIRECT --to-ports 3126</rule>
    <rule ipv="ipv4" table="nat" chain="PREROUTING" priority="0">-i ens192 -p tcp --dport 443 -j REDIRECT --to-ports 3127</rule>
    </direct>
    Replace internal interface name after "-i" in above XML file
  15. Enable and verify direct rules using:
    firewall-cmd --reload
    firewall-cmd --direct --get-all-rules
  16. Enable masquerade
    firewall-cmd --permanent --zone=external --add-masquerade
    firewall-cmd --reload
    firewall-cmd --zone=external --list-all
  17. Configure a browser with proxy:3128 and http browsing should work. For https browsing certificate error should be shown. Now import certificate exported earlier into browser and https should also work.
  18. Configure browser for direct Internet access and everything should work. Verify that logs in /var/log/squid/access.log are getting updated.


Suggestions

  • Configure Squid log analysis using sarg
  • Disable log deletion by editing /etc/logrotate.conf and setting rotate to 400. Optionally uncomment "compress"
  • Configure cache using "cache_dir aufs <cache-directory> <cache-size-in-MB> 16 256"
  • Perform reboot by rebooting proxy and verifying that things continue to work properly after reboot.


Refer



Home > CentOS > CentOS 6.x > Squid proxy server configuration > Configure squid-3.3 in transparent mode on CentOS 7 with SSL bump