$ yay -S squid
# iptables -L -n -v | grep 3128
0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0 state NEW tcp dpt:3128
The process is descibed in detail in Dynamic SSL Certificate Generation and a nice configuration example is available at SSL-Bump using an intermediate CA. So first let’s generate the certificate files:
$ openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout squid-ca-key.pem -out squid-ca-cert.pem
Then combine the files:
$ cat squid-ca-cert.pem squid-ca-key.pem >> squid-ca-cert-key.pem
Then move the file to a location squid can read:
# mkdir /etc/squid/certs
# mv squid-ca-cert-key.pem /etc/squid/certs/.
And you should be set with the install.
Here is configuration I ended up with:
$ grep -vE '^$|^#' /etc/squid/squid.conf
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 ssl-bump \
cert=/etc/squid/certs/squid-ca-cert-key.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
https_port 3129 intercept ssl-bump \
cert=/etc/squid/certs/squid-ca-cert-key.pem \
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
#sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
ssl_bump splice all
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mem 64 MB
shutdown_lifetime 10 seconds
maximum_object_size 10 MB
cache_dir ufs /var/cache/squid 200000 16 256
Confirm the config is okay:
# squid -k parse
2018/04/07 15:13:06| Startup: Initializing Authentication Schemes ...
2018/04/07 15:13:06| Startup: Initialized Authentication Scheme 'basic'
2018/04/07 15:13:06| Startup: Initialized Authentication Scheme 'digest'
2018/04/07 15:13:06| Startup: Initialized Authentication Scheme 'negotiate'
2018/04/07 15:13:06| Startup: Initialized Authentication Scheme 'ntlm'
2018/04/07 15:13:06| Startup: Initialized Authentication.
2018/04/07 15:13:06| Processing Configuration File: /etc/squid/squid.conf (depth 0)
2018/04/07 15:13:06| Processing: acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
2018/04/07 15:13:06| Processing: acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
2018/04/07 15:13:06| Processing: acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
2018/04/07 15:13:06| Processing: acl localnet src fc00::/7 # RFC 4193 local private network range
2018/04/07 15:13:06| Processing: acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
2018/04/07 15:13:06| Processing: acl SSL_ports port 443
2018/04/07 15:13:06| Processing: acl Safe_ports port 80 # http
2018/04/07 15:13:06| Processing: acl Safe_ports port 21 # ftp
2018/04/07 15:13:06| Processing: acl Safe_ports port 443 # https
2018/04/07 15:13:06| Processing: acl Safe_ports port 70 # gopher
2018/04/07 15:13:06| Processing: acl Safe_ports port 210 # wais
2018/04/07 15:13:06| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2018/04/07 15:13:06| Processing: acl Safe_ports port 280 # http-mgmt
2018/04/07 15:13:06| Processing: acl Safe_ports port 488 # gss-http
2018/04/07 15:13:06| Processing: acl Safe_ports port 591 # filemaker
2018/04/07 15:13:06| Processing: acl Safe_ports port 777 # multiling http
2018/04/07 15:13:06| Processing: acl CONNECT method CONNECT
2018/04/07 15:13:06| Processing: http_access deny !Safe_ports
2018/04/07 15:13:06| Processing: http_access deny CONNECT !SSL_ports
2018/04/07 15:13:06| Processing: http_access allow localhost manager
2018/04/07 15:13:06| Processing: http_access deny manager
2018/04/07 15:13:06| Processing: http_access allow localnet
2018/04/07 15:13:06| Processing: http_access allow localhost
2018/04/07 15:13:06| Processing: http_access deny all
2018/04/07 15:13:06| Processing: http_port 3128 ssl-bump cert=/etc/squid/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
2018/04/07 15:13:06| Processing: https_port 3129 intercept ssl-bump cert=/etc/squid/certs/squid-ca-cert-key.pem generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
2018/04/07 15:13:06| Starting Authentication on port [::]:3129
2018/04/07 15:13:06| Disabling Authentication on port [::]:3129 (interception enabled)
2018/04/07 15:13:06| Processing: sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 16MB
2018/04/07 15:13:06| Processing: acl step1 at_step SslBump1
2018/04/07 15:13:06| Processing: ssl_bump peek step1
2018/04/07 15:13:06| Processing: ssl_bump bump all
2018/04/07 15:13:06| Processing: ssl_bump splice all
2018/04/07 15:13:06| Processing: coredump_dir /var/spool/squid
2018/04/07 15:13:06| Processing: refresh_pattern ^ftp: 1440 20% 10080
2018/04/07 15:13:06| Processing: refresh_pattern ^gopher: 1440 0% 1440
2018/04/07 15:13:06| Processing: refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
2018/04/07 15:13:06| Processing: refresh_pattern . 0 20% 4320
2018/04/07 15:13:06| Initializing https proxy context
2018/04/07 15:13:06| Initializing http_port [::]:3128 SSL context
2018/04/07 15:13:06| Using certificate in /etc/squid/certs/squid-ca-cert-key.pem
2018/04/07 15:13:06| Initializing https_port [::]:3129 SSL context
2018/04/07 15:13:06| Using certificate in /etc/squid/certs/squid-ca-cert-key.pem
Make cachedir
# squid -z
Now let’s create the SSL database and make sure the squid user can access it:
# /usr/lib/squid/security_file_certgen -c -s /var/lib/ssl_db -M 4MB
Then enable the service, start it, and confirm it’s running:
# systemctl enable squid
# sudo systemctl start squid
# systemctl status squid.service
● squid.service - Squid caching proxy
Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2018-04-04 15:08:15 MDT; 3 days ago
Process: 1404 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
Process: 1378 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
Main PID: 1444 (squid)
CGroup: /system.slice/squid.service
├─1444 /usr/sbin/squid -f /etc/squid/squid.conf
├─1449 (squid-1) -f /etc/squid/squid.conf
├─1486 (ssl_crtd) -s /var/lib/ssl_db -M 16MB
├─1487 (ssl_crtd) -s /var/lib/ssl_db -M 16MB
├─1492 (ssl_crtd) -s /var/lib/ssl_db -M 16MB
├─1493 (ssl_crtd) -s /var/lib/ssl_db -M 16MB
├─1494 (ssl_crtd) -s /var/lib/ssl_db -M 16MB
└─1496 (logfile-daemon) /var/log/squid/access.log
Apr 04 15:08:15 m2.kar.int systemd[1]: Starting Squid caching proxy...
Apr 04 15:08:15 m2.kar.int squid[1444]: Squid Parent: will start 1 kids
Apr 04 15:08:15 m2.kar.int systemd[1]: Started Squid caching proxy.
Apr 04 15:08:15 m2.kar.int squid[1444]: Squid Parent: (squid-1) process 1449 started
Now as a quick test we can use curl to confirm it’s working. Without the CA, you will see the following warning:
$ curl --proxy 127.0.0.1:3128 https://google.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
So I copied the CA to the client machine, and then tried again:
$ curl --proxy http://192.168.1.100:3128 --cacert squid-ca-cert.pem https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
Now setup Firefox to use this proxy,
Settings > General > Network settings > Settings
Open any site, you will see a SSL warning:
So, we need to import the CA certificate and nd make sure you choose this certificate to validate websites: Settings > Browser privacy > Certificates > View Certificates
Imoprt the CA we creatd earlier:
Now, go to some websites, see if it's working.
After your browser is configured to use Squid as it’s proxy you can check out the access logs to confirm it’s proxying the connections:
# tail -f /var/log/squid/access.log
1523141358.587 51 192.168.1.107 TAG_NONE/200 0 CONNECT clientservices.googleapis.com:443 - HIER_DIRECT/172.217.11.227 -
1523141358.587 47 192.168.1.107 TAG_NONE/200 0 CONNECT translate.googleapis.com:443 - HIER_DIRECT/172.217.11.234 -
1523141358.631 15 192.168.1.107 TCP_MISS/200 1563 GET https://translate.googleapis.com/translate_a/l? - HIER_DIRECT/172.217.11.234 application/json
Export environment variables
$ export https_proxy="http://127.0.0.1:3128"
$ export http_proxy="http://127.0.0.1:3128"
Now as a quick test we can use curl to confirm it’s working. Without the CA, you will see the following warning:
$ curl --proxy 127.0.0.1:3128 https://google.com
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
So we need add the CA created earlier on system level. That can be done by appending the certificate's(squid-ca-cert-key.pem) data to /etc/ssl/certs/ca-certificates.crt
Now, try curl again, see that it works now.
$ curl https://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>