targeted ssl-interception with squid ssl bump

intro

we want to ssl-intercept only nethence.com, and leave the other requests alone (pass-through).

lessons learned / warning

when using just two rules, the targeted setup only worked with proxy service, not with interception

    ssl_bump bump mitm
    ssl_bump splice all

this is why we need the peek first, to get the actual SNI and intercept on demand (for that precise target)

acl step1 at_step SslBump1

    ssl_bump peek step1
    ssl_bump bump mitm
    ssl_bump splice all

setup

based on our squid ssl bump setup, tune the ACLs and SSL Bump settings as such – also you might like to use other ports instead of 8080 – one for proxy service, and two for interceptions

vi /etc/squid/squid.conf

acl lan src 192.168.122.0/24
acl step1 at_step SslBump1
acl mitm ssl::server_name nethence.com

# first rule that matches (ipf-style)
http_access allow lan
http_access deny all

# listening for HTTP in the middle
http_port 3127 intercept

# listening for HTTP CONNECT
http_port 3128 ssl-bump \
    tls-cert=/etc/ssl/prime256v1.crt tls-key=/etc/ssl/prime256v1.key \
    generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

# listening for HTTPS in the middle
https_port 3129 intercept ssl-bump \
    tls-cert=/etc/ssl/prime256v1.crt tls-key=/etc/ssl/prime256v1.key \
    generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

ssl_bump peek step1
ssl_bump bump mitm
ssl_bump splice all

...

enable interception

sysctl net.ipv4.ip_forward=1

apt install iptables

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3127
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3129

# clean-up
#iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3127
#iptables -t nat -D PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 3129

acceptance – proxy service

from some other guest on the network

squid=192.168.122.8
nmap -p 3127,3128,3129 $squid

this one gets cached as it’s clear-text anyhow

curl --proxy $squid:3128 -I http://httpforever.com/

this one should be cached

curl --proxy $squid:3128 -I https://nethence.com/ # self-signed
curl --proxy $squid:3128 -I https://nethence.com/ -k

those should pass through

curl --proxy $squid:3128 -I https://pub.nethence.com/
curl --proxy $squid:3128 -I https://www.opendns.com/

acceptance – interception

from another guest’s console…

squid=192.168.122.8

route delete default
route add default gw $squid
ping -c1 opendns.com
    nmap -p 80,443 $squid

this one gets cached as it’s clear-text anyhow

    curl -I http://httpforever.com/

this one should be cached

    curl -I https://nethence.com/ # self-signed
    curl -I https://nethence.com/ -k

those should pass through

    curl -I https://pub.nethence.com/
    curl -I https://www.opendns.com/

shooting troubles

ssl::server_name can only see the SNI with peek first

resources

https://elatov.github.io/2019/01/using-squid-to-proxy-ssl-sites/ ==> dual port

https://www.smoothnet.org/squid-proxy-with-ssl-bump/ ==> old syntax

https://serverfault.com/questions/785034/how-to-properly-setup-squid3-as-https-proxy ==> nat issue

https://dev.to/suntong/squid-proxy-and-ssl-interception-1oa4 ==> DNAT

https://wiki.squid-cache.org/SquidFaq/InterceptionProxy

https://turbofuture.com/internet/Intercepting-HTTPS-Traffic-Using-the-Squid-Proxy-in-pfSense ==> pfsense

https://scubarda.com/2020/03/23/configure-squid-proxy-for-ssl-tls-inspection-https-interception/

targeted ssl-interception with squid ssl bump

intro

lessons learned / warning

setup

enable interception

acceptance – proxy service

acceptance – interception

shooting troubles

resources

nat setup

transparent / intercept syntax

targeted syntax

troubles