Solved Routing protocol - limited site lookup

Are there any resources or tutorials for setting up certificates with squid to intercept HTTPS traffic as a man in the middle on a separate FreeBSD Box acting as a router, because I don't know enough about squid and setting up a certificate to intercept and filter HTTPS
Have a look at the following 2 posts:
 
I still have a hard time even getting squid to show even an error page int the browser which means things are not being routed correctly? maybe I need to figure out a iptables forwarding scheme instead of using PF?
maybe this project is not feasible for me...? I need help just blocking/denying a http page with a squid proxy.
Code:
                                                                               +-------------+
                                                                               |PACKET       |
                                                                               |S:192.168.1.5|
                             +----------+    FREEBSD ROUTER: 192.168.1.5       |D:72.1.1.2   | +ROUTER2:192.168.1.1+
                             |PACKET    |   +--------------------------------+---------------->|                   |--->INTERNET
                             |S:10.x.x.x|   | NAT plus Squid Proxy Server    |<----------------|                   |
+----------+ REQ 72.1.1.2:80 |D:72.1.1.2|   | S:10.x.x.x -->   10.x.x.x      | |PACKET       | +-------------------+
| CLIENT   |------------------------------->| D:72.1.1.2 rdr-->10.x.x.x:3130 | |S:192.168.1.1|
| 10.x.x.x |                                 +-------------------------------+ |D:192.168.1.5|
|          |<---------------------------+---| S:72.1.1.2 <-- 192.168.1.1     | +-------------+
+----------+                 |PACKET    |   | D:10.x.x.x <-- 192.168.1.5     |
                             |S:72.1.1.2|   +--------------------------------+
                             |D:10.x.x.x|
                             +----------+
squid.conf
Code:
shutdown_lifetime       0 seconds

shutdown_lifetime       0 seconds

acl manager             proto cache_object
acl localnet src 0.0.0.1-0.255.255.255 
acl localnet src 10.0.0.0/8
#acl localnet        src 192.168.1.0/24
#acl localnet src 10.191.135.0/24
#acl localnet src 192.168.1.0/24
acl port_443        port 443
acl ports_80_443    port 80 443
acl CONNECT        method CONNECT
acl example_sites dstdomain "/etc/bad_domains.txt"
acl bad dstdomain .google.com
visible_hostname 10.191.135.1


#http_access        deny bad
#http_access        deny example_sites
#http_access        allow localhost manager
#http_access        deny manager
http_access        deny !ports_80_443
http_access        deny CONNECT !port_443
#http_access        deny to_localhost
http_access        allow localnet

http_access        deny all
#http_access allow all

http_port        localhost:3127
#http_port        192.168.1.35:3127
http_port        10.191.135.1:3128 intercept
#http_port        3128 intercept
#https_port         10.191.135.1:3129 intercept ssl-bump generate-host-certificates=on cert=/usr/local/etc/squid/proxyCA.pem options=NO_SSL_v2
https_port        127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on cert=/usr/local/etc/squid/proxyCA.pem options=NO_SSL_v2

acl step1        at_step SslBump1
ssl_bump        peek step1
ssl_bump        bump port_443

sslcrtd_program            /usr/local/libexec/squid/security_file_certgen -s /usr/local/etc/squid/ssl_db -M 4MB
sslcrtd_children    8 startup=3 idle=1

cache_mem        512 MB
cache_dir        aufs /var/squid/cache 10000 16 256
coredump_dir            /var/squid/cache

refresh_pattern        -i (/cgi-bin/|\?)  0    0%    0
refresh_pattern        .                  0   20% 4320

tls_outgoing_options    cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options    cafile=/etc/ssl/cert.pem
tls_outgoing_options    options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

pf1.conf
Code:
ext_if="wlan0"
int_if="em0"

icmp_types = "echoreq"


set block-policy return
set loginterface $ext_if
#set skip on lo0
scrub in all


#nat on $ext_if inet from $int_if:network to any -> ($ext_if)
rdr pass inet proto tcp from 10.191.135.0/24 to any port 80 -> 10.191.135.1 port 3128
rdr pass inet proto tcp from 10.191.135.0/24 to any port 443 -> 10.191.135.1 port 3129
#rdr pass inet proto tcp from 10.191.135.1 to 10.191.135.36 -> 10.191.135.36 port 80
nat on $ext_if inet from $int_if:network to any -> ($ext_if)

block in
pass quick on lo0 all
pass in quick on $int_if
pass in quick on $ext_if
pass out keep state

# allow local squid connections
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state

# allow access to www
pass in on $int_if inet proto tcp from any to any port www keep state

# allow ping
pass in inet proto icmp all icmp-type $icmp_types keep state

# allow all trafic from internal network to internal interface
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# allow all trafic out via external interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass in  on $ext_if inet proto gre to $ext_if keep state

rc.conf
Code:
zfs_enable="YES"
clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="ampshock.com"
ipv6_activate_all_interfaces="YES"
moused_enable="YES"
hald_enabla="YES"
dbus_enable="YES"
#ifconfig_em0="DHCP -lro -tso"
#ifconfig_em0_ipv6="inet6 accept_rtadv"
#rtsold_enable="YES"
wlans_ath0="wlan0"
#create_args_wlan0="wlanmode hostapd"
#ifconfig_wlan0="inet 10.191.135.1 netmask 255.255.255.0 ssid UPLAND8 mode 11g channel 1"
#hostapd_enable="YES"
ifconfig_wlan0="WPA SYNCDHCP"
ifconfig_em0="inet 10.191.135.1 netmask 255.255.255.0"
dhcpd_ifaces="em0"
dhcpd_enable="YES"
dhcpd_ifaces="em0"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
#local_unbound_enable="YES"
gateway_enable="YES"
linux_enable="YES"
powerd_enable="YES"
dumpdev="NO"
pf_enable="YES"
pf_rules="/etc/pf1.conf"
pf_program="/sbin/pfctl"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
ntpd_enable="YES"
darkstat_enable="YES"
darkstat_interface="em0"
vnstat_enable="YES"
#squid_enable="YES"
#ifconfig_wlan0="WPA SYNCDHCP"

dhcpd.conf
Code:
# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
option domain-name "ampshock.router.com";
option domain-name-servers 208.67.222.222 ,209.244.0.3 ,156.154.70.1;

option subnet-mask 255.255.255.224;
default-lease-time 14400;
max-lease-time 86400;
subnet 10.191.135.0 netmask 255.255.255.0 {
   range 10.191.135.31 10.191.135.100;
   option routers 10.191.135.1;
}

please I need some help! I feel like I'm close but that only counts in horseshoes and hand-grenades

unname -a

FreeBSD ampshock.com 12.0-RELEASE-p1 FreeBSD 12.0-RELEASE-p1 #1 r342750M: Thu Jan 3 22:12:38 EST 2019 root@ampshock.router.com:/usr/obj/usr/src/amd64.amd64/sys/ALEX amd64

squid -v
Squid Cache: Version 4.5
Service Name: squid
 
Last edited:
I finally got PF to work with Squid and I was able to setup the transparent proxy with HTTP and HTTPS! I would like to thank Christ Jesus and all the people who helped motivate me. I would also like to thank for the help on this forum,thanks to VladiBG, and Obsigna, and SirDice, and KPA, and jpierri.

here is a sample of my configuration file for squid only:
Code:
shutdown_lifetime 0 seconds
acl manager proto cache_object

acl localnet src 0.0.0.1-0.255.255.255

acl localnet src 10.0.0.0/8

acl port_443 port 443

acl ports_80_443 port 80 443

acl CONNECT method CONNECT

acl good_sites dstdomain '/usr/local/etc/squid/squid_good'

acl bad_sites dstdomain '/usr/local/etc/squid/bad_d'

visible_hostname ampshock.router.com

http_access allow good_sites

http_access deny bad_sites

http_access allow localhost manager

http_access deny manager

http_access deny !ports_80_443

http_access deny CONNECT !port_443

http_access deny to_localhost

http_access allow localnet


http_access deny all

#http_access allow all



http_port 3128

http_port 3129 intercept

https_port 3130 intercept ssl-bump generate-host-certificates=on cert=/usr/local/etc/squid/proxyCA.pem options=NO_SSL_v2



acl step1 at_step SslBump1

ssl_bump peek step1

ssl_bump bump port_443



sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /usr/local/etc/squid/ssl_db -M 4MB

sslcrtd_children 8 startup=3 idle=1



cache_mem 512 MB

cache_dir aufs /var/squid/cache 10000 16 256

coredump_dir /var/squid/cache



refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320



tls_outgoing_options cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:

EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:

!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS

tls_outgoing_options cafile=/etc/ssl/cert.pem

tls_outgoing_options options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
 
Thinking of pi-hole, how can one combine it with squid/e2guardian in order enjoy the benefits of both worlds?
 
Back
Top