Hi,
Transparent https proxy have some limitations...
1. For http there is no problem, but for https it is more complicated, but currently the majority of traffic is https.
2. Transparent Proxy works man in the middle, then you have to import the autogenerated certificate in each computer and in each browser.
3. Whatsapp web does not validate the QR code through Squid.
I think you can adapt it for use with IPFW
Good luck!
If someone knows in a better way, please explain it to us, while, if it serves you, I have my configuration that I leave below (Please note that it is with PF and Squid-cache IPv4 and IPv6 working):
Squid-cache server IPs Internals 172.16.1.1/16 and fc00::1:1/7 Externals (changed) 181.143.98.123 2800:e7:a8:6123::3
Squid-cache + HTTPS
Requirements:
Squid-cache must have support for PF
Used manuals:
http://wiki.squid-cache.org/CategoryConfigExample
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
https://www.ssltrust.com.au/blog/setup-squid-proxy
Edit it with the necessary values
# edit /usr/local/etc/squid/squid.conf
It looks like this
Code:
# egrep -v '#|^ *$' /usr/local/etc/squid/squid.conf
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 127.0.0.1:3128
http_port 172.16.1.1:3128
http_port [::1]:3128
http_port [fc00::1:1]:3128
http_port 172.16.1.1:3129 ssl-bump intercept \
cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
http_port [fc00::1:1]:3129 ssl-bump intercept \
cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
https_port 172.16.1.1:3130 ssl-bump intercept \
cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
https_port [fc00::1:1]:3130 ssl-bump intercept \
cert=/usr/local/etc/squid/ssl_cert/myCA.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \
dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/etc/squid/ssl_db -M 4MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump stare all
ssl_bump bump all
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
tcp_outgoing_address 181.143.98.123
tcp_outgoing_address 2800:e7:a8:6123::3
cache_dir ufs /var/squid/cache 1000 16 256
coredump_dir /var/squid/cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
access_log daemon:/var/log/squid/access.log squid
visible_hostname my.cutekittens.com
cache_mgr support@cutekittens.com
Copy the sample file
# cp /etc/ssl/openssl.cnf /usr/local/etc/squid/ssl_cert
Edit it with the necessary values
# edit /usr/local/etc/squid/ssl_cert/openssl.cnf
It looks like this
Code:
# egrep -v '#|^ *$' /usr/local/etc/squid/ssl_cert/openssl.cnf
...
countryName = Country Name (2 letter code)
countryName_default = US
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Florida
localityName = Locality Name (eg, city)
localityName_default = Miami
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Cute Kittens
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Systems
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = my.cuteKittens.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = support@cutekittens.com
...
Create self-signed certificate for Squid server
# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out /usr/local/etc/squid/ssl_cert/myCA.pem -config /usr/local/etc/squid/ssl_cert/openssl.cnf
Note:
The value 36500 = 100 years
Modern DH/EDH ciphers usage
# openssl dhparam -outform PEM -out /usr/local/etc/squid/ssl_cert/dhparam.pem 2048
Create a DER-encoded certificate to import into users' browsers
# openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out /usr/local/etc/squid/ssl_cert/myCA.der
Adjust permissions
# chown -R squid:squid /usr/local/etc/squid/ssl_cert
# chmod -R 700 /usr/local/etc/squid/ssl_cert
Create and initialize SSL certificates cache directory
Code:
# /usr/local/libexec/squid/ssl_crtd -c -s /usr/local/etc/squid/ssl_db
Initialization SSL db...
Done
Adjust permissions
Code:
# chown -R squid:squid /usr/local/etc/squid/ssl_db
# chmod -R 700 /usr/local/etc/squid/ssl_db
Note:
To create other certificates delete
Code:
# rm -f /usr/local/etc/squid/ssl_cert/*.pem
# rm -f /usr/local/etc/squid/ssl_cert/*.der
# rm -Rf /usr/local/etc/squid/ssl_db
Import the certificate in client browsers
/usr/local/etc/squid/ssl_cert/myCA.der
# edit /etc/pf.conf
Code:
#-------------------------------------------------------------------------------
# (5) PF: Netkwork Address Translation (NAT) and Packet Redirection
#-------------------------------------------------------------------------------
# Internet (NAT IPv4 = yes | NAT IPv6 = yes)
nat on $ext_if inet from any to any -> $ext_ipv4
nat on $ext_if inet6 from any to any -> $ext_ipv6
#=================== SQUID =====================================
# PRECAUTION IN TESTING!
# Intercept HTTPS CONNECT messages with SSL-Bump
rdr pass on $int_if inet proto tcp from any to port https \
-> 172.16.1.1 port 3130
rdr pass on $int_if inet6 proto tcp from any to port https \
-> fc00::1:1 port 3130
#=================== SQUID =====================================