Configuring SSL Bumping in the Squid service
To configure
in the Squid service:- Make sure that the utilized Squid service supports the necessary options. To do so, execute the command:
squid -v
The
configure options
parameter must contain the--enable-ssl-crtd and --with-openssl
values. - Go to the Squid service folder. To do so, execute the command:
cd /etc/squid
- Create a self-signed SSL certificate. To do so, execute the command:
openssl req -new -newkey rsa:2048 -days <certificate validity period in days> -nodes -x509 -keyout squidCA.pem -out squidCA.pem
You will be prompted to fill in the fields of the self-signed SSL certificate.
- Please fill in the fields of the self-signed SSL certificate.
- Create a trusted certificate to be imported into a browser. To do so, execute the command:
openssl x509 -in squidCA.pem -outform DER -out squid.der
- Import the squid.der file into the browsers of local computer users.
The method used to import the squid.der file into a browser depends on the type of browser.
- Configure the permissions to use a self-signed certificate file. To do so, run the following commands depending on the utilized operating system:
- CentOS, Red Hat Enterprise Linux or SUSE Linux Enterprise Server:
chown squid:squid squidCA.pem
chmod 400 squidCA.pem
- Ubuntu or Debian:
chown proxy:proxy squidCA.pem
chmod 400 squidCA.pem
- CentOS, Red Hat Enterprise Linux or SUSE Linux Enterprise Server:
- Create a folder for future certificates. To do so, run the following commands depending on the utilized operating system:
- CentOS or Red Hat Enterprise Linux:
mkdir -p /var/lib/squid
/usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db
chown -R squid:squid /var/lib/squid
- Ubuntu:
mkdir -p /var/lib/squid
/usr/lib/squid/ssl_crtd -c -s /var/lib/squid/ssl_db
chown -R proxy:proxy /var/lib/squid
- SUSE Linux Enterprise Server:
mkdir -p /var/lib/squid
/usr/sbin/ssl_crtd -c -s /var/lib/squid/ssl_db
chown -R squid:squid /var/lib/squid
- In Debian, the Squid service does not support SSL Bumping by default. If the Squid service was compiled with enabled SSL Bumping support, you must create a directory for future certificates:
mkdir -p /var/lib/squid
<path specified at compilation time>/ssl_crtd -c -s /var/lib/squid/ssl_db
chown -R <user specified at compilation time>:<group specified at compilation time> /var/lib/squid
- CentOS or Red Hat Enterprise Linux:
- Change the settings of the Squid service. To do so, in the /etc/squid/squid.conf file:
- Replace
http_port 3128
withhttp_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem
. - Add the following lines to the end of the file:
- CentOS or Red Hat Enterprise Linux:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error deny all
- Ubuntu:
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error deny all
- SUSE Linux Enterprise Server:
sslcrtd_program /usr/sbin/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error deny all
- Debian (if the Squid service was compiled with enabled SSL Bumping support):
sslcrtd_program <path specified at compilation time>/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error deny all
- CentOS or Red Hat Enterprise Linux:
- If you want to exclude trusted domain certificates from checking, add the following lines:
- CentOS or Red Hat Enterprise Linux:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
acl BrokenButTrustedServers dstdomain <example.com>
sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all
- Ubuntu:
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
acl BrokenButTrustedServers dstdomain <example.com>
sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all
- SUSE Linux Enterprise Server:
sslcrtd_program /usr/sbin/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
acl BrokenButTrustedServers dstdomain <example.com>
sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all
- Debian (if the Squid service was compiled with enabled SSL Bumping support):
sslcrtd_program <path specified at compilation time>/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
acl BrokenButTrustedServers dstdomain <example.com>
sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all
- CentOS or Red Hat Enterprise Linux:
- If you want to disable checking of certificates for all domains, add the following lines:
- CentOS or Red Hat Enterprise Linux:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
- Ubuntu:
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
- SUSE Linux Enterprise Server:
sslcrtd_program /usr/sbin/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
- Debian (if the Squid service was compiled with enabled SSL Bumping support):
sslcrtd_program <path depends on compilation settings>/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
- CentOS or Red Hat Enterprise Linux:
- Replace
- Restart the Squid service. To do so, execute the command:
service squid restart
Configuration of SSL Bumping in the Squid service will be complete.