Configuring SSL Bumping in the Squid service
July 3, 2024
ID 166244
These instructions are applicable if Kaspersky Web Traffic Security was installed from an RPM or DEB package to a ready-to-use operating system. If Kaspersky Web Traffic Security was installed from an ISO file, configuration files for the built-in proxy server cannot be manually changed.
It is recommended to configure SSL Bumping in the Squid service to handle encrypted connections. If SSL Bumping is not configured, the proxy server cannot intervene in the process of establishing an encrypted connection. In this case, the protection modules of Kaspersky Web Traffic Security (Anti-Virus and Anti-Phishing) are unable to scan data transmitted inside the encrypted data channel. This reduces the level of protection of the corporate IT infrastructure.
SSL Bumping requires an SSL certificate and a private key in PEM format. You can create a new self-signed SSL certificate or use a prepared one (for example, an SSL certificate issued by a Certificate Authority).
If the private key is password protected, it needs to be decrypted in advance.
To configure SSL Bumping in the Squid service:
- Make sure that the utilized Squid service supports the necessary options. To do so, execute the command:
squid -v
The
configure options
parameter must contain the--enable-ssl-crtd and --with-openssl
values. - Copy the SSL certificate in PEM format into the file /etc/squid/bump.crt.
- Copy the private key in PEM format into the file /etc/squid/bump.key.
- Generate the settings file for the Diffie-Hellman algorithm. To do so, execute the command:
openssl dhparam -outform PEM -out /etc/squid/bump_dhparam.pem 2048
- Configure the permissions for using an SSL certificate file. To do so, run the following commands depending on the utilized operating system:
- CentOS, Red Hat Enterprise Linux or SUSE Linux Enterprise Server:
chown squid:squid /etc/squid/bump*
chmod 400 /etc/squid/bump*
- Ubuntu, Debian, or ALT Server:
chown proxy:proxy /etc/squid/bump*
chmod 400 /etc/squid/bump*
- CentOS, Red Hat Enterprise Linux or SUSE Linux Enterprise Server:
- Determine the version of the Squid service being used on your server. To do so, execute the command:
squid -v
Information about the utilized version is displayed in the format
Squid Cache: Version <version>
. - Stop the Squid service if it is running. To do so, execute the command:
service squid stop
- If you are using version 3.5.x of the Squid service:
- Create a directory for the certificate database and initialize the database. To do so, run the following commands depending on the utilized operating system:
- CentOS or Red Hat Enterprise Linux:
mkdir -p /var/lib/squid
rm -rf /var/lib/squid/ssl_db
/usr/lib64/squid/ssl_crtd -c -s /var/lib/squid/ssl_db
chown -R squid:squid /var/lib/squid
- SUSE Linux Enterprise Server:
mkdir -p /var/lib/squid
rm -rf /var/lib/squid/ssl_db
/usr/sbin/ssl_crtd -c -s /var/lib/squid/ssl_db
chown -R squid:squid /var/lib/squid
- Ubuntu or Debian:
mkdir -p /var/lib/squid
rm -rf /var/lib/squid/ssl_db
/usr/lib/squid/ssl_crtd -c -s /var/lib/squid/ssl_db
chown -R proxy:proxy:<group> /var/lib/squid
- CentOS or Red Hat Enterprise Linux:
- In the /etc/squid/squid.conf configuration file, make the following changes:
- At the end of the file, add the following directives depending on the utilized operating system:
- CentOS or Red Hat Enterprise Linux:
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 20MB
sslproxy_cert_error allow all
ssl_bump stare all
- SUSE Linux Enterprise Server:
sslcrtd_program /usr/sbin/ssl_crtd -s /var/lib/squid/ssl_db -M 20MB
sslproxy_cert_error allow all
ssl_bump stare all
- Ubuntu or Debian:
sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/squid/ssl_db -M 20MB
sslproxy_cert_error allow all
ssl_bump stare all
- Replace the http_port directive with the following:
http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/etc/squid/bump.crt key=/etc/squid/bump.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,NO_SSLv2,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem
- At the end of the file, add the following directives depending on the utilized operating system:
- Create a directory for the certificate database and initialize the database. To do so, run the following commands depending on the utilized operating system:
- If you are using version 4.x of the Squid service:
- Create a directory for the certificate database and initialize the database. To do so, run the following commands depending on the utilized operating system:
- CentOS or Red Hat Enterprise Linux:
mkdir -p /var/lib/squid
rm -rf /var/lib/squid/ssl_db
/usr/lib64/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 20MB
chown -R squid:squid /var/lib/squid
- SUSE Linux Enterprise Server:
mkdir -p /var/lib/squid
rm -rf /var/lib/squid/ssl_db
/usr/sbin/security_file_certgen -c -s /var/lib/squid/ssl_db -M 20MB
chown -R squid:squid /var/lib/squid
- Ubuntu, Debian, or ALT Server:
mkdir -p /var/lib/squid
rm -rf /var/lib/squid/ssl_db
/usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 20MB
chown -R proxy:proxy /var/lib/squid
- CentOS or Red Hat Enterprise Linux:
- In the /etc/squid/squid.conf configuration file, make the following changes:
- Add the following directives to the beginning of the file or before the first http_access directive:
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
- Add the following directives to the end of the file depending on the utilized operating system:
- CentOS or Red Hat Enterprise Linux:
sslcrtd_program /usr/lib64/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
sslproxy_cert_error allow all
ssl_bump stare all
- SUSE Linux Enterprise Server:
sslcrtd_program /usr/sbin/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
sslproxy_cert_error allow all
ssl_bump stare all
- Ubuntu, Debian, or ALT Server:
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 20MB
sslproxy_cert_error allow all
ssl_bump stare all
- Replace the http_port directive with the following:
http_port 3128 tcpkeepalive=60,30,3 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/bump.crt tls-key=/etc/squid/bump.key cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem
- Add the following directives to the beginning of the file or before the first http_access directive:
- Create a directory for the certificate database and initialize the database. To do so, run the following commands depending on the utilized operating system:
- Restart the Squid service. To do so, execute the command:
service squid restart
Configuration of SSL Bumping in the Squid service will be complete.