Squid Cache with SSL Bump

squid cache | ssl bump | targeted mitm

Introduction

Even with SSL Bump enabled, the proxy service itself remains clear-text. That’s not that big of an issue since SSL handles authentication on the underlying traffic anyways. Note you will have to deploy your CA certificate to users' workstations.

Setup

assuming you got squid up and running already

apt install squid-openssl # replaces squid package

ls -al /var/spool/squid/ssl_db/ # not yet
    /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 16MB
chown -R proxy:proxy /var/spool/squid/ssl_db/

cd /etc/ssl/
openssl req -x509 -days 365 -nodes \
        -newkey ec:<(openssl ecparam -name prime256v1) \
        -keyout prime256v1.key \
        -out prime256v1.crt
cd -

vi /etc/squid/squid.conf

acl step1 at_step SslBump1

http_port 8080 ssl-bump \
        tls-cert=/etc/ssl/prime256v1.crt tls-key=/etc/ssl/prime256v1.key \
        generate-host-certificates=on dynamic_cert_mem_cache_size=16MB

https_port 3129 intercept ssl-bump \
        tls-cert=/etc/ssl/prime256v1.crt tls-key=/etc/ssl/prime256v1.key \
        generate-host-certificates=on dynamic_cert_mem_cache_size=16MB

ssl_bump peek step1
ssl_bump bump all

Transparent proxy

on the squid machine

become a router

vi /etc/sysctl.conf

# ssl-interception on the fly
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.route_localnet = 1

sysctl -p

enable the interception

vi /etc/nftables.conf

flush ruleset

table ip nat {
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;

        #iif eth0 tcp dport 80 redirect to :3127
        #iif eth0 tcp dport 443 redirect to :3129
        iif eth0 tcp dport 443 dnat 127.0.0.1:3129
    }
}

Ready to go

systemctl status squid.service

systemctl reload squid.service

systemctl restart squid.service

Operations

tail -F /var/log/squid/*log

systemctl reload squid.service

netstat -lntup | grep squid

Acceptance

check the plain-text proxy port is reachable

squid=x.x.x.x
    nmap -p 8080 $squid

test HTTP traffic

    curl --proxy $squid:8080 -I http://httpforever.com/

expected result

1687762590.927    459 192.168.1.111 TCP_MISS/200 909 HEAD http://httpforever.com/ - HIER_DIRECT/146.190.62.39 text/html
1687763608.009      0 192.168.1.111 TCP_MEM_HIT/200 918 HEAD http://httpforever.com/ - HIER_NONE/- text/html

now test HTTPS traffic through HTTPS proxy

curl --proxy $squid:8080 -I https://nethence.com/ # self-signed
curl --proxy $squid:8080 -I https://nethence.com/ -k

expected result

1687762613.159    153 192.168.1.111 NONE_NONE/200 0 CONNECT nethence.com:443 - HIER_DIRECT/195.154.162.19 -
1687762613.217     58 192.168.1.111 TCP_MISS/200 289 HEAD https://nethence.com/ - HIER_DIRECT/195.154.162.19 text/html
1687762616.581    141 192.168.1.111 NONE_NONE/200 0 CONNECT nethence.com:443 - HIER_DIRECT/195.154.162.19 -
1687762616.582      0 192.168.1.111 TCP_MEM_HIT/200 295 HEAD https://nethence.com/ - HIER_NONE/- text/html

SSL acceptance

see sslhappy-proxy

Troubleshooting

curl: (35) error:0A00010B:SSL routines::wrong version number

==> use http:// (or just the address), not https:// as proxy

Resources

https://unix.stackexchange.com/questions/697793/squid-proxy-url-regex-with-ssl-bump

https://unix.stackexchange.com/questions/613359/setting-up-squid-transparent-proxy-with-ssl-bumping-on-debian-10

https://squid-users.squid-cache.narkive.com/EdJQ4CS9/squid-4-0-20-does-not-recognize-ssl-bump-option

https://serverfault.com/questions/673506/squid-transparent-proxy-for-https-ssl-trafic

https://stackoverflow.com/questions/23350790/squid3-ssl-bump

https://wiki.squid-cache.org/Features/DynamicSslCert

https://stackoverflow.com/questions/26277752/how-to-setup-ssl-bumping-for-content-adaptation

https://serverfault.com/questions/518092/squid-ssl-bump-with-parent-proxy

tutos

https://dev.to/suntong/configuring-ssl-bumping-in-the-squid-service-2e7h

acls

https://stackoverflow.com/questions/10895711/squid-proxy-howto-allow-tcp-connect-getting-tcp-denial-400-with-err-invalid

troubles

https://serverfault.com/questions/702947/squid3-the-proxy-server-is-refusing-connections

https://serverfault.com/questions/947126/squid-tcp-denied

https://askubuntu.com/questions/539468/squid3-tcp-denied-403-with-timeout-first-up-parent

https://stackoverflow.com/questions/50232235/squid-tcp-denied-403-with-internal-error-page

https://forums.centos.org/viewtopic.php?t=51051

https://serverfault.com/questions/947126/squid-tcp-denied

https://askubuntu.com/questions/1051554/squid-tcp-denied-403-4037-get-http-detectportal-firefox-com-success-txt-hier

http://www.squid-cache.org/Doc/config/on_unsupported_protocol/

https://serverfault.com/questions/1081762/squid-connection-reset-by-peer-tls-code-squid-err-ssl-handshake

https://bugzilla.mozilla.org/show_bug.cgi?id=378637#c65

http://www.squid-cache.org/Doc/config/http_port/

https://stackoverflow.com/questions/50840101/curl-35-error1408f10bssl-routinesssl3-get-recordwrong-version-number

ssl bump

https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit –> THIS IS THE ONE

https://wiki.squid-cache.org/Features/HTTPS

http://www.squid-cache.org/Doc/config/http_port/

https://wiki.squid-cache.org/Features/SslBump

https://wiki.squid-cache.org/Features/MimicSslServerCert

https://wiki.squid-cache.org/Features/SslPeekAndSplice

http://www.squid-cache.org/Doc/config/ssl_bump/

https://serverfault.com/questions/568620/configure-squid-as-an-https-forward-proxy

https://www.squins.com/knowledge/squid-http-https-ssh-proxy/

https://stackoverflow.com/questions/13151192/how-to-configure-https-support-in-squid3

https://elatov.github.io/2019/01/using-squid-to-proxy-ssl-sites/

https://stackoverflow.com/questions/64460173/squid-ssl-transparent-proxy

https://medium.com/@steensply/installing-and-configuring-squid-proxy-for-ssl-bumping-or-peek-n-splice-34afd3f69522

https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

https://dev.to/suntong/a-short-guide-on-squid-transparent-proxy-ssl-bumping-k5c

https://github.com/alatas/squid-alpine-ssl/blob/master/conf/squid.conf –> old sample config

acceptance

https://stackoverflow.com/questions/49081633/https-request-using-curl-through-squid-proxy –> curl –proxy

https://bugs.squid-cache.org/show_bug.cgi?id=4327 –> how to test with proxytunnel and s_client

alternatives

https://docs.trafficserver.apache.org/admin-guide/configuration/transparent-forward-proxying.en.html

https://www.netresec.com/?page=PolarProxy

https://github.com/alatas/squid-alpine-ssl

https://github.com/yegor256/squid-proxy

https://www.netresec.com/?page=Blog&month=2020-01&post=Sniffing-Decrypted-TLS-Traffic-with-Security-Onion

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/inspecting-encrypted-network-traffic-with-ja3/

https://forum.suricata.io/t/encrypted-traffic-inspection/2530/5

https://seclists.org/snort/2012/q1/354 https://seclists.org/snort/2012/q1/378

https://passive.sourceforge.net/

https://resources.infosecinstitute.com/topic/ssl-decryption/ https://github.com/plashchynski/viewssld https://github.com/plashchynski/libdssl –> does not build on debian12


https://wiki.squid-cache.org/SquidFaq/ConfiguringSquid

http://wiki.squid-cache.org/SquidFaq/SquidLogs#Squid_result_codes

http://www.squid-cache.org/Doc/code/LogTags_8h.html

https://serverfault.com/questions/523083/squid-proxy-tcp-miss-all-the-time-not-caching-at-all

https://stackoverflow.com/questions/30170698/tcp-miss-with-squid-proxy

https://stackoverflow.com/questions/65883294/fixing-squid-configuration-for-caching-proxy

http://master.squid-cache.org/Doc/config/ssl_bump/

https://www.reddit.com/r/sysadmin/comments/g4ltus/how_does_peek_splice_stare_bump_work_in_squid/

https://docs.diladele.com/faq/squid/sslbump_squid_windows.html

https://www.smoothnet.org/squid-proxy-with-ssl-bump/

https://support.kaspersky.com/KWTS/6.1/en-US/166244.htm

https://serverfault.com/questions/198422/squid-incorrectly-serving-cache-hit-after-ssl-unwrapping

https://stackoverflow.com/questions/18725987/enable-cache-for-ssl-connection-in-squid

https://wiki.squid-cache.org/Features/SslBump

http://marek.helion.pl/install/squid.html

http://lists.squid-cache.org/pipermail/squid-users/2018-September/thread.html#19150

https://wiki.squid-cache.org/Features/SslPeekAndSplice

https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit

https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpWithIntermediateCA

https://dev.to/suntong/using-squid-to-proxy-ssl-sites-nj3

https://dev.to/suntong/squid-proxy-and-ssl-bump-summary-5cao

http://www.squid-cache.org/Doc/config/ssl_bump/

https://unix.stackexchange.com/questions/613359/setting-up-squid-transparent-proxy-with-ssl-bumping-on-debian-10


acl intermediate_fetching transaction_initiator certificate-fetching http_access allow intermediate_fetching

https://support.kaspersky.com/KWTS/6.1/en-US/166244.htm

https://dominikrys.com/posts/squid-transparent-proxy/


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2023 Pierre-Philipp Braun