Difference between revisions of "Using encrypted channels to communicate with squid proxy server"

From Notes_Wiki
m
m
Line 6: Line 6:
https_port 8081 cert=/etc/squid/squid.pem
https_port 8081 cert=/etc/squid/squid.pem
</pre>
</pre>
in '<tt>squid.conf</tt>' to allow clients to connect to proxy using SSL, where '<tt>squid.pem</tt>' can ge generated using
in '<tt>squid.conf</tt>' to allow clients to connect to proxy using SSL, where '<tt>squid.pem</tt>' can ge generated as explained at [[Openssl]]
<pre>
 
openssl req -new -x509 -days 999 -nodes -out squid.pem -keyout squid.pem
</pre>
We can also use RSA tools provided by openvpn to create a CA and then a server certificate.


On the client side we can use stunnel to tunnel all browser plain-text traffic
On the client side we can use stunnel to tunnel all browser plain-text traffic
Line 18: Line 15:
accept=8080
accept=8080
client=yes
client=yes
connect=facultyproxy.iiit.ac.in:8081
connect=<proxy-ip-or-fqdn>:8081
</pre>
</pre>
We can add above section to '<tt>/etc/stunnel/stunnel.conf</tt>' file and run stunnel using '<tt>stunnel /etc/stunnel/stunnel.conf</tt>' so that stunnel listens on port 8080 on localhost and forwards all incoming connections to facultyproxy on port 8081.  
 
We can add above section to '<tt>/etc/stunnel/stunnel.conf</tt>' file and run stunnel using '<tt>stunnel /etc/stunnel/stunnel.conf</tt>' so that stunnel listens on port 8080 on localhost and forwards all incoming connections to proxy server on port 8081.  
 


We can also add following options, if we have CA certificate and we want to defy man-in-the-middle attacks via other self-signed certificates.
We can also add following options, if we have CA certificate and we want to defy man-in-the-middle attacks via other self-signed certificates.

Revision as of 12:25, 26 September 2019

<yambe:breadcrumb self="HTTPS proxy">Squid proxy server configuration|Squid</yambe:breadcrumb>

Using encrypted channels to communicate with squid proxy server

We can use 

https_port 8081 cert=/etc/squid/squid.pem

in 'squid.conf' to allow clients to connect to proxy using SSL, where 'squid.pem' can ge generated as explained at Openssl


On the client side we can use stunnel to tunnel all browser plain-text traffic over SSL to proxyserver, port 8081. Sample stunnel service configuration is 

	[facultyproxy]
	accept=8080
	client=yes
	connect=<proxy-ip-or-fqdn>:8081


We can add above section to '/etc/stunnel/stunnel.conf' file and run stunnel using 'stunnel /etc/stunnel/stunnel.conf' so that stunnel listens on port 8080 on localhost and forwards all incoming connections to proxy server on port 8081.


We can also add following options, if we have CA certificate and we want to defy man-in-the-middle attacks via other self-signed certificates. 

	CAfile=/etc/pki/CA/private/ca.crt
	verify=3
Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Using_encrypted_channels_to_communicate_with_squid_proxy_server&oldid=4363"