Pour configurer SSL Bumping dans le service Squid, procédez comme suit :
squid -v
Le paramètre configure options
doit contenir les valeurs --enable-ssl-crtd et --with-openssl
.
cd /etc/squid
openssl req -new -newkey rsa:2048 -days <nombre de jours de validité du certificat> -nodes -x509 -keyout squidCA.pem -out squidCA.pem
L'invite de saisie d'informations dans les champs du certificat SSL auto-signé s'affiche.
openssl x509 -in squidCA.pem -outform DER -out squid.der
Le mode d'importation du fichier squid.der dans le navigateur dépend du type du navigateur.
chown squid:squid squidCA.pem
chmod 400 squidCA.pem
chown proxy:proxy squidCA.pem
chmod 400 squidCA.pem
mkdir -p /var/lib/squid
/usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db
chown -R squid:squid /var/lib/squid
mkdir -p /var/lib/squid
/usr/lib/squid/ssl_crtd -c -s /var/lib/squid/ssl_db
chown -R proxy:proxy /var/lib/squid
mkdir -p /var/lib/squid
/usr/sbin/ssl_crtd -c -s /var/lib/squid/ssl_db
chown -R squid:squid /var/lib/squid
mkdir -p /var/lib/squid
<Le chemin indiqué à la compilation>/ssl_crtd-c-s/var/lib/squid/ssl_db
chown-R <l'utilisateur indiqué à la compilation> : <le groupe indiqué à la compilation>/var/lib/squid
Remplacez http_port 3128
par http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/squidCA.pem.
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error deny all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error deny all
sslcrtd_program /usr/sbin/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error deny all
sslcrtd_program <Le chemin indiqué au moment de la compilation>/ssl_crtd-s/var/lib/squid/ssl_db-M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error deny all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
acl BrokenButTrustedServers dstdomain <example.com>
sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
acl BrokenButTrustedServers dstdomain <example.com>
sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all
sslcrtd_program /usr/sbin/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
acl BrokenButTrustedServers dstdomain <example.com>
sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all
sslcrtd_program <Le chemin indiqué au moment de la compilation>/ssl_crtd-s/var/lib/squid/ssl_db-M 4MB
sslcrtd_children 5
ssl_bump server-first all
acl BrokenButTrustedServers dstdomain <example.com>
sslproxy_cert_error allow BrokenButTrustedServers
sslproxy_cert_error deny all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/sbin/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program <le chemin dépend des configurations à la compilation>/ssl_crtd-s/var/lib/squid/ssl_db-M 4MB
sslcrtd_children 5
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
service squid restart
La configuration SSL Bumping dans le service Squid se termine.
Haut de page