SQUID TRANSPARENT PROXY FOR HTTP / HTTPS


The following are the steps involved for installing squid proxy as a transparent mode and various troubleshooting which I undergone during the installation.

 

Infrastructure:

Vkarthi_IT_Squid

 

 

 

 

 

 

 

 

The following are the prerequisite in RHEL 6.7 before installing squid are

  1. Disable selinux by #vim /etc/selinux/config
  2. Enable IPforward=1 in /etc/sysctl.conf
  3. Enable EPEL repo

a. #cd /root/

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

(http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm)

b. #rpm -Uvh epel-release-6.8.noarch.rpm

c. Create squid repo by the following syntax

d. #cd /etc/yum.repos.d

e. #vi  SQUID.repo

   Enter or insert the following text in the squid.repo file

[squid]

name=Squid repo for CentOS Linux – $basearch

#IL mirror

baseurl=http://www1.ngtech.co.il/repo/centos/$releasever/$basearch/

failovermethod=priority

enabled=1

gpgcheck=0

4. Do #yum update

 Installation of SQUID

#yum install perl-Crypt-OpenSSL-X509 (We need to install this application successful else https site will not work).

#yum install -y squid

Install squid helper from the url: http://www1.ngtech.co.il/repo/centos/6/x86_64/squid-helpers-3.5.19-1.el6.x86_64.rpm

# wget http://www1.ngtech.co.il/repo/centos/6/x86_64/squid-helpers-3.5.19-1.el6.x86_64.rpm

# yum install -y squid-helpers-3.5.19-1.el6.x86_64.rpm

Now we initialize SQUID ssl_db directory, in the following syntax

#/usr/lib/squid/ssl_crtd -c -s /var/lib/ssl_db

Assign ownership for squid

#chown -R squid.squid /var/lib/ssl_db

Edit squid.conf file in /etc/squid/squid.conf and the configuration

Define your local source network by

acl localnet src 192.168.201.0/24

Enable and define the ports in squid.conf file

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow all

http_port 3130

http_port 3128 intercept

https_port 3129 intercept ssl-bump generate-host-certificates=on

dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc

/squid/ssl_cert/myca.pem

#always_direct allow all

ssl_bump server-first all

#sslproxy_cert_error deny all

#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

sslcrtd_children 8 startup=1 idle=1

coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|\?) 0 0% 0

refresh_pattern . 0 20% 4320

Generate Certificate for SQUID using OpenSSL

go to SQUID directory, create the certificate folder and generate the keys:

#mkdir /etc/squid/ssl_cert

#chown -R squid.squid /etc/squid/ssl_cert

#cd /etc/squid/ssl_cert

Generate ssl certificate by the following syntax

#openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem

For Windows clients the key :

#openssl x509 -in myca.pem -outform DER -out myca.der

Now enable squid on all run levels and start the squid service

#chkconfig squid on

#/etc/init.d/squid start

Redirect / Accept HTTP and HTTPS traffic from router/Firewall to Proxy

#iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 –dport 80 -j DNAT –to 192.168.201.250:3128

#iptables -t nat -A PREROUTING -p tcp -s 192.168.201.0/24 –dport 443 -j DNAT –to 192.168.201.250:3129

Save the IPtables configuration

#/etc/ini.d/iptables save

On Windows Client Configuration

We need to copy the /etc/squid/ssl_cert/myca.der file to our

Windows clients

For Internet Explorer :

Tools -> Internet Options -> Content -> Certificates Click on

Import , select myca.der file , make sure that you import to

Root Trusted Certificates

For Mozilla Firefox :

Tools-> Options-> Advanced -> Certificates – > View Certificates

Import

(x) Trust this CA to identify websites

(x) Trust this CA to identify email users

(x) Trust this CA to identify software developers

Click OK you are done.

NOTE : If the main certificate expires for SQUID , and you generate

a new one , don’t forget to delete the old certificates ,

/var/lib/ssl_db/certs also empty the file /var/lib/ssl_db/index.txt, and set the number inside the file /var/lib/ssl_db/size to 0

In our infrastructure the bind service not required for name resolution.

Analysis:

To my experience squid with transparent proxy for http and https is successful with the squid version 3.5.19 and the lower version of squid seems to be some bugs.

Below are the bugs which we come across with the older versions of squid in the /var/log/squid/access.log

1301567341.317 23434 192.168.100.165 TCP_MISS/200 957 POST http://by2msg3010710.by2.gateway.edg…y/gateway.dll? – DIRECT/64.4.34.80 text/html
1301567341.896 531 192.168.100.165 TCP_MISS/200 1056 POST http://by2msg3010710.by2.gateway.edg…y/gateway.dll? – DIRECT/64.4.34.80 text/html
1301567344.042 770 192.168.100.155 TCP_MISS/200 1117 POST http://www.facebook.com/ajax/chat/buddy_list.php? – DIRECT/69.63.190.18 application/x-javascript
1301567347.991 414 192.168.100.161 TCP_MISS/200 316 POST http://oss-content.securestudies.com/cidpost – DIRECT/165.193.73.40 text/plain
1301567351.115 494 192.168.100.161 TCP_MISS/200 316 POST http://oss-content.securestudies.com/cidpost – DIRECT/165.193.73.40 text/plain
1301567352.986 412 192.168.100.161 TCP_MISS/200 316 POST http://oss-content.securestudies.com/cidpost – DIRECT/165.193.73.40 text/plain
1301567354.288 555 192.168.100.150 TCP_MISS/200 6079 GET http://www.google.com.sa/ – DIRECT/209.85.147.104 text/html
1301567354.516 37 192.168.100.150 TCP_MISS/302 683 GET http://www.google.com.sa/gen_204? – DIRECT/209.85.147.104 text/html
1301567354.773 254 192.168.100.150 TCP_MISS/204 367 GET http://www.google.com.sa/gen_204? – DIRECT/209.85.147.104 text/html
1301567354.842 161 192.168.100.150 TCP_MISS/302 856 GET http://www.google.com.sa/csi? – DIRECT/209.85.147.106 text/html
1301567355.165 320 192.168.100.150 TCP_MISS/204 413 GET http://www.google.com.sa/csi? – DIRECT/209.85.147.106 text/html
1301567355.234 456 192.168.100.150 TCP_MISS/204 322 GET http://clients1.google.com.sa/generate_204 – DIRECT/74.125.230.163 text/html