Hello gays,
Excuse me to post this in FreeBSD forum, this post concern the deployment of "squid/squidGuard" with ssl bumping on OpenBSD.
Here is my config:
And this is the two lines for Pf
When I restart squid service, I can not navigate using 3129 port proxy configuration on my browser, and even if I set the same https, http port to 3128, it do not ask me to install the client certificate.
I use OpenBSD 7.6, squid 6.13 build with openssl support (libressl).
Excuse me to post this in FreeBSD forum, this post concern the deployment of "squid/squidGuard" with ssl bumping on OpenBSD.
So, It seems that squid on OpenBSD do not bump SSL as it works in FreeBSD.
Here is my config:
Code:
## /etc/squid.conf
visible_hostname uc1.test.lan
cache_mgr support@test.lan
acl localnet src 192.186.110.0/23
acl Nekki src 127.0.0.0/8
acl SSL_ports port 80 443 # SSL (https)
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access allow Nekki
http_access allow to_localhost
http_access deny to_linklocal
http_access deny all
http_port 3128
https_port 3129 intercept ssl-bump cert=/var/squid/key/squidCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/libexec/squid/security_file_certgen -s /var/squid/db -M 4MB sslcrtd_children 4 startup=1 idle=1
tls_outgoing_options cafile=/var/squid/key/cacert.pem
url_rewrite_program /usr/local/bin/squidGuard -c /etc/squidguard/squidGuard.conf url_rewrite_bypass off url_rewrite_children 8 startup=4 idle=4 concurrency=0 forward_max_tries 25
ssl_bump server-first all
sslproxy_cert_error allow all
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump SSL_ports
always_direct allow all
access_log /var/squid/logs/access.log combined #access_log none
cache_store_log /var/squid/logs/store.log #cache_store_log none
cache_log /var/squid/logs/cache.log #cache_log /dev/null
logfile_rotate 8 #logfile_rotate 0
cache_mem 128 MB
maximum_object_size 8 MB
maximum_object_size_in_memory 512 KB
cache_dir ufs /var/squid/cache 120 16 256
coredump_dir /var/squid/dump
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320And this is the two lines for Pf
Code:
pass in on $if_lan inet proto tcp from $if_lan:network to ($if_lan) port 3128
pass in on $if_lan inet proto tcp from $if_lan:network to ($if_lan) port 3129I use OpenBSD 7.6, squid 6.13 build with openssl support (libressl).
