IPFW Transparent proxy squid

Hi,

Transparent https proxy have some limitations...

1. For http there is no problem, but for https it is more complicated, but currently the majority of traffic is https.
2. Transparent Proxy works man in the middle, then you have to import the autogenerated certificate in each computer and in each browser.
3. Whatsapp web does not validate the QR code through Squid.

I think you can adapt it for use with IPFW
Good luck!

If someone knows in a better way, please explain it to us, while, if it serves you, I have my configuration that I leave below (Please note that it is with PF and Squid-cache IPv4 and IPv6 working):

Squid-cache server IPs Internals 172.16.1.1/16 and fc00::1:1/7 Externals (changed) 181.143.98.123 2800:e7:a8:6123::3

Squid-cache + HTTPS

Requirements:
Squid-cache must have support for PF

Used manuals:
http://wiki.squid-cache.org/CategoryConfigExample
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA
http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
https://www.ssltrust.com.au/blog/setup-squid-proxy

Edit it with the necessary values
# edit /usr/local/etc/squid/squid.conf

It looks like this
Code:
# egrep -v '#|^ *$' /usr/local/etc/squid/squid.conf
acl SSL_ports port 443                                                                                                                                                                                      
acl CONNECT method CONNECT                                                                                                                                                                                  
http_access deny !Safe_ports                                                                                                                                                                                
http_access deny CONNECT !SSL_ports                                                                                                                                                                         
http_access allow localhost manager                                                                                                                                                                         
http_access deny manager                                                                                                                                                                                    
http_access deny to_localhost                                                                                                                                                                               
http_access allow localnet                                                                                                                                                                                  
http_access allow localhost                                                                                                                                                                                 
http_access deny all                                                                                                                                                                                        
http_port      127.0.0.1:3128                                                                                                                                                                                 
http_port    172.16.1.1:3128                                                                                                                                                                                 
http_port             [::1]:3128                                                                                                                                                                                 
http_port    [fc00::1:1]:3128                                                                                                                                                                                 
http_port    172.16.1.1:3129 ssl-bump intercept \                                                                                                                                                            
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \                                                                                                                                                       
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \                                                                                                                                     
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem                                                                                                                                                  
http_port  [fc00::1:1]:3129 ssl-bump intercept \                                                                                                                                                            
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \                                                                                                                                                       
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \                                                                                                                                     
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem                                                                                                                                                  
https_port  172.16.1.1:3130 ssl-bump intercept \                                                                                                                                                            
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \                                                                                                                                                       
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \                                                                                                                                     
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem                                                                                                                                                  
https_port [fc00::1:1]:3130 ssl-bump intercept \                                                                                                                                                            
        cert=/usr/local/etc/squid/ssl_cert/myCA.pem \                                                                                                                                                       
        generate-host-certificates=on dynamic_cert_mem_cache_size=4MB \                                                                                                                                      
        dhparams=/usr/local/etc/squid/ssl_cert/dhparam.pem                                                                                                                                                  
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/etc/squid/ssl_db -M 4MB                                                                                                                     
acl step1 at_step SslBump1                                                                                                                                                                                  
ssl_bump peek step1                                                                                                                                                                                         
ssl_bump stare all                                                                                                                                                                                          
ssl_bump bump all                                                                                                                                                                                           
always_direct allow all                                                                                                                                                                                     
sslproxy_cert_error allow all                                                                                                                                                                               
sslproxy_flags DONT_VERIFY_PEER                                                                                                                                                                             
tcp_outgoing_address 181.143.98.123                                                                                                                                                                         
tcp_outgoing_address 2800:e7:a8:6123::3                                                                                                                                                                     
cache_dir ufs /var/squid/cache 1000 16 256                                                                                                                                                                  
coredump_dir /var/squid/cache                                                                                                                                                                               
refresh_pattern ^ftp:           1440    20%     10080                                                                                                                                                       
refresh_pattern ^gopher:        1440    0%      1440                                                                                                                                                        
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0                                                                                                                                                           
refresh_pattern .               0       20%     4320                                                                                                                                                        
access_log daemon:/var/log/squid/access.log squid                                                                                                                                                           
visible_hostname my.cutekittens.com                                                                                                                                                                 
cache_mgr support@cutekittens.com
Copy the sample file
# cp /etc/ssl/openssl.cnf /usr/local/etc/squid/ssl_cert

Edit it with the necessary values
# edit /usr/local/etc/squid/ssl_cert/openssl.cnf

It looks like this
Code:
# egrep -v '#|^ *$' /usr/local/etc/squid/ssl_cert/openssl.cnf
...
countryName                              = Country Name (2 letter code)
countryName_default             = US
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Florida
localityName                       = Locality Name (eg, city)
localityName_default            = Miami
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Cute Kittens
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Systems
commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_default              = my.cuteKittens.com
commonName_max                  = 64
emailAddress                      = Email Address
emailAddress_default            = support@cutekittens.com
...

Create self-signed certificate for Squid server

# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out /usr/local/etc/squid/ssl_cert/myCA.pem -config /usr/local/etc/squid/ssl_cert/openssl.cnf

Note:
The value 36500 = 100 years

Modern DH/EDH ciphers usage

# openssl dhparam -outform PEM -out /usr/local/etc/squid/ssl_cert/dhparam.pem 2048

Create a DER-encoded certificate to import into users' browsers

# openssl x509 -in /usr/local/etc/squid/ssl_cert/myCA.pem -outform DER -out /usr/local/etc/squid/ssl_cert/myCA.der


Adjust permissions
# chown -R squid:squid /usr/local/etc/squid/ssl_cert
# chmod -R 700 /usr/local/etc/squid/ssl_cert

Create and initialize SSL certificates cache directory
Code:
# /usr/local/libexec/squid/ssl_crtd -c -s /usr/local/etc/squid/ssl_db
Initialization SSL db...
Done

Adjust permissions
Code:
# chown -R squid:squid /usr/local/etc/squid/ssl_db
# chmod -R 700 /usr/local/etc/squid/ssl_db
Note:
To create other certificates delete
Code:
# rm -f /usr/local/etc/squid/ssl_cert/*.pem
# rm -f /usr/local/etc/squid/ssl_cert/*.der
# rm -Rf /usr/local/etc/squid/ssl_db
Import the certificate in client browsers
/usr/local/etc/squid/ssl_cert/myCA.der

# edit /etc/pf.conf
Code:
#-------------------------------------------------------------------------------
# (5) PF: Netkwork Address Translation (NAT) and Packet Redirection
#-------------------------------------------------------------------------------

# Internet (NAT IPv4 = yes | NAT IPv6 = yes)
nat                        on $ext_if inet                         from any             to any                     ->  $ext_ipv4
nat                        on $ext_if inet6                        from any             to any                     ->  $ext_ipv6

#=================== SQUID =====================================

# PRECAUTION IN TESTING!

# Intercept HTTPS CONNECT messages with SSL-Bump
rdr pass on $int_if inet  proto tcp from any to port https \
    -> 172.16.1.1 port 3130
rdr pass on $int_if inet6 proto tcp from any to port https \
    -> fc00::1:1 port 3130
#=================== SQUID =====================================
 
angelvg, the default version of www/squid changed from 3.5 to 4.1 just a few days ago, and some SSL related options are different from those of the older squid versions. It is worth to upgrade to Squid 4 because this one does load intermediate certificates of the Mozillas sometimes incomplete root CA store, and so Squid 4.1 would automagically resolve a lot of SSL connection problems.

Except for test purposes, I would not suggest to ignore any SSL cert errors. You need to specify the path to the systems CA store. For this we usually install the port security/ca_root_nss which places a symbolic link to the trusted CA's to /etc/ssl/cert.pem.

Here comes my squid.conf which does work for Squid v4.1:
Code:
shutdown_lifetime       0 seconds

acl manager             proto cache_object
acl localnet        src 192.168.1.0/24
acl port_443        port 443
acl ports_80_443    port 80 443
acl CONNECT        method CONNECT

http_access        allow localhost manager
http_access        deny manager
http_access        deny !ports_80_443
http_access        deny CONNECT !port_443
http_access        deny to_localhost
http_access        allow localnet
http_access        deny all

http_port        localhost:3127
http_port        192.168.1.35:3127
http_port        127.0.0.1:3128 intercept
https_port        127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on cert=/usr/local/etc/squid/proxy-certs/proxy-ca.pem tls-dh=/usr/local/etc/squid/proxy-certs/dhparam.pem

acl step1        at_step SslBump1
ssl_bump        peek step1
ssl_bump        bump port_443

sslcrtd_program            /usr/local/libexec/squid/security_file_certgen -s /usr/local/etc/squid/dyn-certs -M 4MB
sslcrtd_children    8 startup=3 idle=1

cache_mem        512 MB
cache_dir        aufs /var/squid/cache 10000 16 256
coredump_dir            /var/squid/cache

refresh_pattern        -i (/cgi-bin/|\?)  0    0%    0
refresh_pattern        .                  0   20% 4320

tls_outgoing_options    cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
tls_outgoing_options    cafile=/etc/ssl/cert.pem
tls_outgoing_options    options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
My transparent proxy rules for ipfw(8) are:
Code:
# Transparent HTTP(S) Proxy - Squid
/sbin/ipfw -q add 80 fwd 127.0.0.1,3128 tcp from 192.168.1.3,192.168.1.5,192.168.1.7,192.168.1.8,192.168.1.9 to any 80
/sbin/ipfw -q add 81 fwd 127.0.0.1,3129 tcp from 192.168.1.3,192.168.1.5,192.168.1.7,192.168.1.8,192.168.1.9 to any 443
Above rules forward the traffic of certain clients only via the proxy.
 
Thanks obsigna for the information, I have not been able to update my Squid-cache, I'm still with a previous FreeBSD...

FreeBSD 10.2-RELEASE-p28 and squid-3.5.23

I'll keep this in mind when I can update, thanks.
 
I got it working by doing:
Code:
http_port 3128 ssl-bump \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=4MB \
  cert=/usr/local/etc/squid/ssl/ca.pem \
  tls-dh=/usr/local/squid/etc/ssl/dhparam.pem

I am not doing transparent interception, instead I explicitly set the proxy for the network.
 
Last edited:
Back
Top