Configure squid-3.3 in transparent mode on CentOS 7 with SSL bump

From Notes_Wiki
Revision as of 17:02, 5 March 2016 by Saurabh (talk | contribs) (Created page with "<yambe:breadcrumb>Squid_proxy_server_configuration|Squid</yambe:breadcrumb> =Configure squid-3.3 in transparent mode on CentOS 7 with SSL bump= '''On CentOS 6.5 installing...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

<yambe:breadcrumb>Squid_proxy_server_configuration|Squid</yambe:breadcrumb>

Configure squid-3.3 in transparent mode on CentOS 7 with SSL bump

On CentOS 6.5 installing via source requires compiling gcc too. Without using sources ssl_crtd program is not provided with binaries. Thus, best is to avoid using CentOS 6 and consider CentOS 7 for hosting squid with SSL bump features.

This setup assumes two interfaces - One external connected to ISP and one internal for LAN users. For any deviation please change steps appropriately.

On CentOS7 use following steps:

  1. yum -y install squid
  2. Create CA certificate and key for SSL bump 
    cd /etc/squid
    

    mkdir ssl_cert
    

    chown squid:squid ssl_cert
    

    chmod 700 ssl_cert
    

    cd ssl_cert
    

    openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.pem  -out myCA.pem
  3. Then extract certificate for importing in browsers 
    openssl x509 -in myCA.pem -outform DER -out myCA.der
  4. Disable SELinux 
    setenforce 0
    Also edit '/etc/sysconfig/selinux' appropriately.
  5. Generate DH parameters in '/etc/squid' folder 
    openssl dhparam -outform PEM -out dhparam.pem 2048
  6. Edit '/etc/squid/squid.conf' and use following before 'http_access deny all' rule: 
    #Enable quick shutdown
    

    shutdown_lifetime 0 seconds
    

    

    #Enable transparent proxy with SSL bump
    

    http_port  3126 intercept
    

    https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
    

    http_port  3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=16MB cert=/etc/squid/ssl_cert/myCA.pem
    

    

    #Configure SSL Bump for all sites
    

    acl broken_sites dstdom_regex icicibank.com hdfcbank.com
    

    acl monitor_domains dstdom_regex youtube.com facebook.com ytimg.com googlevideo.com ggpht.com
    

    acl monitor_domains2 dst 216.58.196.110 216.58.199.174  #youtube connect works over IP
    

    ssl_bump none localhost
    

    ssl_bump none broken_sites   #Avoid bumping financial sites such as banks
    

    ssl_bump server-first monitor_domains  #Bump facebook and youtube
    

    ssl_bump server-first monitor_domains2  #Since youtube bump fails with just domain also add youtube serverIP
    

    

    #Configure hostname
    

    visible_hostname tproxy.purpletalk.com
    

    

    #Configure logging of query terms
    

    strip_query_terms off    #This will allow checking which youtube URLs were visited by user
  7. Initialize SSL certificate directory 
    /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
    

    chown -R squid:squid /var/lib/ssl_db/
  8. After this try starting squid 
    systemctl start squid
    

    systemctl status squid
    

    systemctl enable squid
    Ignore SELinux warnings related to certificate access to /var/lib/ssl_db
  9. Enable IP forwarding 
    sysctl net.ipv4.ip_forward=1
  10. Create file '/etc/sysctl.d/ipv4_forward.conf' with following contents: 
    net.ipv4.ip_forward = 1
  11. Labels interface internal and external appropriately by appending 'ZONE=internal' or 'ZONE=external' in '/etc/sysconfig/network-scripts/ifcfg-<interface>' files.
  12. Set zones and verify settings: 
    systemctl restart network
    

    firewall-cmd --get-active-zones
  13. Configure firewall rules for allowing access to incoming ports 
    firewall-cmd --zone=internal --add-port=3126/tcp --permanent
    

    firewall-cmd --zone=internal --add-port=3127/tcp --permanent
    

    firewall-cmd --zone=internal --add-port=3128/tcp --permanent
  14. Use direct interface of firewalld to configure port redirection. Edit file /etc/firewalld/direct.xml and put 
    <?xml version="1.0" encoding="utf-8"?>
    

    <direct>
    

    <rule ipv="ipv4" table="nat" chain="PREROUTING" priority="0">-i ens192 -p tcp --dport 80 -j REDIRECT --to-ports 3126</rule>
    

    <rule ipv="ipv4" table="nat" chain="PREROUTING" priority="0">-i ens192 -p tcp --dport 443 -j REDIRECT --to-ports 3127</rule>
    

    </direct>
    Replace internal interface name after "-i" in above XML file
  15. Enable and verify direct rules using: 
    firewall-cmd --reload
    

    firewall-cmd --direct --get-all-rules
  16. Enable masquerade 
    firewall-cmd --permanent --zone=external --add-masquerade
    

    firewall-cmd --reload
    

    firewall-cmd --zone=external --list-all
  17. Configure a browser with proxy:3128 and http browsing should work. For https browsing certificate error should be shown. Now import certificate exported earlier into browser and https should also work.
  18. Configure browser for direct Internet access and everything should work. Verify that logs in /var/log/squid/access.log are getting updated.


Suggestions

  • Configure Squid log analysis using sarg
  • Disable log deletion by editing /etc/logrotate.conf and setting rotate to 400. Optionally uncomment "compress"
  • Configure cache using "cache_dir aufs <cache-directory> <cache-size-in-MB> 16 256"
  • Perform reboot by rebooting proxy and verifying that things continue to work properly after reboot.


Refer



<yambe:breadcrumb>Squid_proxy_server_configuration|Squid</yambe:breadcrumb>

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Configure_squid-3.3_in_transparent_mode_on_CentOS_7_with_SSL_bump&oldid=2438"