squid cache | ssl bump | targeted mitm
Even with SSL Bump enabled, the proxy service itself remains clear-text. That’s not that big of an issue since SSL handles authentication on the underlying traffic anyways. Note you will have to deploy your CA certificate to users' workstations.
assuming you got squid up and running already
apt install squid-openssl # replaces squid package
ls -al /var/spool/squid/ssl_db/ # not yet
/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 16MB
chown -R proxy:proxy /var/spool/squid/ssl_db/
cd /etc/ssl/
openssl req -x509 -days 365 -nodes \
-newkey ec:<(openssl ecparam -name prime256v1) \
-keyout prime256v1.key \
-out prime256v1.crt
cd -
vi /etc/squid/squid.conf
acl step1 at_step SslBump1
http_port 8080 ssl-bump \
tls-cert=/etc/ssl/prime256v1.crt tls-key=/etc/ssl/prime256v1.key \
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
https_port 3129 intercept ssl-bump \
tls-cert=/etc/ssl/prime256v1.crt tls-key=/etc/ssl/prime256v1.key \
generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
ssl_bump peek step1
ssl_bump bump all
on the squid machine
become a router
vi /etc/sysctl.conf # ssl-interception on the fly net.ipv4.ip_forward = 1 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.eth0.route_localnet = 1 sysctl -p
enable the interception
vi /etc/nftables.conf
flush ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
#iif eth0 tcp dport 80 redirect to :3127
#iif eth0 tcp dport 443 redirect to :3129
iif eth0 tcp dport 443 dnat 127.0.0.1:3129
}
}
systemctl status squid.service systemctl reload squid.service systemctl restart squid.service
tail -F /var/log/squid/*log systemctl reload squid.service netstat -lntup | grep squid
check the plain-text proxy port is reachable
squid=x.x.x.x
nmap -p 8080 $squid
test HTTP traffic
curl --proxy $squid:8080 -I http://httpforever.com/
expected result
1687762590.927 459 192.168.1.111 TCP_MISS/200 909 HEAD http://httpforever.com/ - HIER_DIRECT/146.190.62.39 text/html 1687763608.009 0 192.168.1.111 TCP_MEM_HIT/200 918 HEAD http://httpforever.com/ - HIER_NONE/- text/html
now test HTTPS traffic through HTTPS proxy
curl --proxy $squid:8080 -I https://nethence.com/ # self-signed curl --proxy $squid:8080 -I https://nethence.com/ -k
expected result
1687762613.159 153 192.168.1.111 NONE_NONE/200 0 CONNECT nethence.com:443 - HIER_DIRECT/195.154.162.19 - 1687762613.217 58 192.168.1.111 TCP_MISS/200 289 HEAD https://nethence.com/ - HIER_DIRECT/195.154.162.19 text/html 1687762616.581 141 192.168.1.111 NONE_NONE/200 0 CONNECT nethence.com:443 - HIER_DIRECT/195.154.162.19 - 1687762616.582 0 192.168.1.111 TCP_MEM_HIT/200 295 HEAD https://nethence.com/ - HIER_NONE/- text/html
see sslhappy-proxy
curl: (35) error:0A00010B:SSL routines::wrong version number
==> use http:// (or just the address), not https:// as proxy
https://unix.stackexchange.com/questions/697793/squid-proxy-url-regex-with-ssl-bump
https://squid-users.squid-cache.narkive.com/EdJQ4CS9/squid-4-0-20-does-not-recognize-ssl-bump-option
https://serverfault.com/questions/673506/squid-transparent-proxy-for-https-ssl-trafic
https://stackoverflow.com/questions/23350790/squid3-ssl-bump
https://wiki.squid-cache.org/Features/DynamicSslCert
https://stackoverflow.com/questions/26277752/how-to-setup-ssl-bumping-for-content-adaptation
https://serverfault.com/questions/518092/squid-ssl-bump-with-parent-proxy
https://dev.to/suntong/configuring-ssl-bumping-in-the-squid-service-2e7h
https://serverfault.com/questions/702947/squid3-the-proxy-server-is-refusing-connections
https://serverfault.com/questions/947126/squid-tcp-denied
https://askubuntu.com/questions/539468/squid3-tcp-denied-403-with-timeout-first-up-parent
https://stackoverflow.com/questions/50232235/squid-tcp-denied-403-with-internal-error-page
https://forums.centos.org/viewtopic.php?t=51051
https://serverfault.com/questions/947126/squid-tcp-denied
http://www.squid-cache.org/Doc/config/on_unsupported_protocol/
https://bugzilla.mozilla.org/show_bug.cgi?id=378637#c65
http://www.squid-cache.org/Doc/config/http_port/
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit –> THIS IS THE ONE
https://wiki.squid-cache.org/Features/HTTPS
http://www.squid-cache.org/Doc/config/http_port/
https://wiki.squid-cache.org/Features/SslBump
https://wiki.squid-cache.org/Features/MimicSslServerCert
https://wiki.squid-cache.org/Features/SslPeekAndSplice
http://www.squid-cache.org/Doc/config/ssl_bump/
https://serverfault.com/questions/568620/configure-squid-as-an-https-forward-proxy
https://www.squins.com/knowledge/squid-http-https-ssh-proxy/
https://stackoverflow.com/questions/13151192/how-to-configure-https-support-in-squid3
https://elatov.github.io/2019/01/using-squid-to-proxy-ssl-sites/
https://stackoverflow.com/questions/64460173/squid-ssl-transparent-proxy
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
https://dev.to/suntong/a-short-guide-on-squid-transparent-proxy-ssl-bumping-k5c
https://github.com/alatas/squid-alpine-ssl/blob/master/conf/squid.conf –> old sample config
https://stackoverflow.com/questions/49081633/https-request-using-curl-through-squid-proxy –> curl –proxy
https://bugs.squid-cache.org/show_bug.cgi?id=4327 –> how to test with proxytunnel and s_client
https://docs.trafficserver.apache.org/admin-guide/configuration/transparent-forward-proxying.en.html
https://www.netresec.com/?page=PolarProxy
https://github.com/alatas/squid-alpine-ssl
https://github.com/yegor256/squid-proxy
https://forum.suricata.io/t/encrypted-traffic-inspection/2530/5
https://seclists.org/snort/2012/q1/354 https://seclists.org/snort/2012/q1/378
https://passive.sourceforge.net/
https://resources.infosecinstitute.com/topic/ssl-decryption/ https://github.com/plashchynski/viewssld https://github.com/plashchynski/libdssl –> does not build on debian12
https://wiki.squid-cache.org/SquidFaq/ConfiguringSquid
http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes
http://www.squid-cache.org/Doc/code/LogTags_8h.html
https://serverfault.com/questions/523083/squid-proxy-tcp-miss-all-the-time-not-caching-at-all
https://stackoverflow.com/questions/30170698/tcp-miss-with-squid-proxy
https://stackoverflow.com/questions/65883294/fixing-squid-configuration-for-caching-proxy
http://master.squid-cache.org/Doc/config/ssl_bump/
https://www.reddit.com/r/sysadmin/comments/g4ltus/how_does_peek_splice_stare_bump_work_in_squid/
https://docs.diladele.com/faq/squid/sslbump_squid_windows.html
https://www.smoothnet.org/squid-proxy-with-ssl-bump/
https://support.kaspersky.com/KWTS/6.1/en-US/166244.htm
https://serverfault.com/questions/198422/squid-incorrectly-serving-cache-hit-after-ssl-unwrapping
https://stackoverflow.com/questions/18725987/enable-cache-for-ssl-connection-in-squid
https://wiki.squid-cache.org/Features/SslBump
http://marek.helion.pl/install/squid.html
http://lists.squid-cache.org/pipermail/squid-users/2018-September/thread.html#19150
https://wiki.squid-cache.org/Features/SslPeekAndSplice
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit
https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA
https://dev.to/suntong/using-squid-to-proxy-ssl-sites-nj3
https://dev.to/suntong/squid-proxy-and-ssl-bump-summary-5cao
http://www.squid-cache.org/Doc/config/ssl_bump/
acl intermediate_fetching transaction_initiator certificate-fetching http_access allow intermediate_fetching
https://support.kaspersky.com/KWTS/6.1/en-US/166244.htm
https://dominikrys.com/posts/squid-transparent-proxy/