Sign in to follow this  
Followers 0
Original Poster

Squid https?

38 posts in this topic

does anyone know how to configure https for squid 2.7? I cannot seem to get it working and im looking online and nothing seems to be helping

 

 

I have set up the firewall to forward on 443 to port 3130 to the squid proxy... and I have set up certificates  :( gaahhh help me people!!! this is buggingg meee

Share this post


Link to post
Share on other sites

im not trying to block https... I am trying to get squid to allow https through its self... so I can then control access to websites... the access and the HTTP was easy...but I cannot seem to get https to work, this is a squid matter

Share this post


Link to post
Share on other sites

thanks but no :( sadly I ive tried so many things to get this working and i dont know why it isnt if there is a squid expert id be happy to share my full config

Share this post


Link to post
Share on other sites

So you are trying to filter via transparent proxy vs explicit proxy (ie set on the browser to point to the proxy)

 

if I recall correctly that is not even possible with 2.7..  Why would you be running such an old version of squid?  I believe with 3.1 you can use SSLBump - or Squid in the Middle ;)

 

http://wiki.squid-cache.org/Features/SslBump

 

2.7 is from what 2008??  3.4 is current.

Share this post


Link to post
Share on other sites

So you are trying to filter via transparent proxy vs explicit proxy (ie set on the browser to point to the proxy)

 

if I recall correctly that is not even possible with 2.7..  Why would you be running such an old version of squid?  I believe with 3.1 you can use SSLBump - or Squid in the Middle ;)

 

http://wiki.squid-cache.org/Features/SslBump

 

2.7 is from what 2008??  3.4 is current.

 

 

the browser does not point there not the linux (debian) acts as a router and eth0 (the network) is routed to eth1("wan") http is then cached and blocked via squid and now im trying https... I thought I had it set up right using crts and keys on port 3130 (http 3128) but it just keeps saying no connection can be made... 

 

the routing via squid is done using IP tables and obviously the connection of the network is done using route 

 

I tried using squid 3.1 but it kept saying the cacheing was not intialised and  i couldnt get the SSLbump to work (im assuming I have to install it with enable_ssl? ) but i could never get it :((((((((((((( 1 million sadfaces... ive looked at every single guide going and have found little that can help me....my http caching works perfectly btw I know its a simple MiTM, but i have never done one using certs only forced people of SSL but SSL is required :(

Share this post


Link to post
Share on other sites

Again -- I do not believe 2.7 even supports sslbump..  You need to be running at min 3.1, which is when that was introduced.  Somethings say doesn't really work until 3.2, etc..

 

Why don't you just install the current 3.4? 

 

Here is a walk through setting up 3.3.10 on debian

http://pen-testing-lab.blogspot.com/2013/11/squid-3310-transparent-proxy-for-http.html

 

I would go with the above walk through but using the current source which I believe is 3.4.5

Share this post


Link to post
Share on other sites

Again -- I do not believe 2.7 even supports sslbump..  You need to be running at min 3.1, which is when that was introduced.  Somethings say doesn't really work until 3.2, etc..

 

Why don't you just install the current 3.4? 

 

Here is a walk through setting up 3.3.10 on debian

http://pen-testing-lab.blogspot.com/2013/11/squid-3310-transparent-proxy-for-http.html

 

I would go with the above walk through but using the current source which I believe is 3.4.5

 

thanks budman :) I will give this a try monday and post back my results :) (im away for the weekend)

Share this post


Link to post
Share on other sites

Again -- I do not believe 2.7 even supports sslbump..  You need to be running at min 3.1, which is when that was introduced.  Somethings say doesn't really work until 3.2, etc..

 

Why don't you just install the current 3.4? 

 

Here is a walk through setting up 3.3.10 on debian

http://pen-testing-lab.blogspot.com/2013/11/squid-3310-transparent-proxy-for-http.html

 

I would go with the above walk through but using the current source which I believe is 3.4.5

cheers i got it working! though there is the small issue of google chrome refusing the connection completely because it obviously doesn't trust the certificate, any suggestion to over come it?

Share this post


Link to post
Share on other sites

cheers i got it working! though there is the small issue of google chrome refusing the connection completely because it obviously doesn't trust the certificate, any suggestion to over come it?

this isnt even worst of my problems now the http caching isnt working :@ :'(

Share this post


Link to post
Share on other sites

what do you need caching for in the first place - nothing is static these days ;)

 

What version did you install?  What OS are you installing it on?

 

If you want to do MITM, then yeah the browser has to trust the cert your going to present.. Install the CA root in the browser of the cert your  using.

 

Looking that the steps a bit deeper on that guide, did your cache get created correctly..  I don't think it would work with those chown only in the log section.  Did you edit the .conf to enable chace?

 

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
 

Pretty sure its commented out by default.. etc..

Share this post


Link to post
Share on other sites

what do you need caching for in the first place - nothing is static these days ;)

 

What version did you install?  What OS are you installing it on?

 

If you want to do MITM, then yeah the browser has to trust the cert your going to present.. Install the CA root in the browser of the cert your  using.

 

im fine with the MiTM right now lol i can fix that later ... im on 3.3.11 squid, using debian... I know nothing is static now days xD but my tests show that it is beneficial, either way I need it, plus it appears im getting an error "error no forward-proxy ports configured"

Share this post


Link to post
Share on other sites

cheers i got it working! though there is the small issue of google chrome refusing the connection completely because it obviously doesn't trust the certificate, any suggestion to over come it?

Yeah, you'll need to disable certificate pinning (if it's even possible), it's an extra layer of security and it's picking up on your "attack".

Share this post


Link to post
Share on other sites

As to your cache, and why not current??  why are you on 3.3 when 3.4.5 is current?

 

your going to to have to edit conf to enable cache, and then your going to need to do -z so it creates them.. Did you see something like this

 

2014/06/09 06:50:46 kid1| Creating missing swap directories
2014/06/09 06:50:46 kid1| /usr/local/squid/var/cache/squid exists
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/00
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/01
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/02
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/03
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/04
 

Then as to validation of hitting cache - its prob going to just give you mem hits..  I fired up a copy to play iwth

 

root@cleanlinux:/usr/local/squid/var/logs# grep TCP_MEM_HIT /usr/local/squid/var/logs/access.log
1402315681.533      0 127.0.0.1 TCP_MEM_HIT/200 9053 GET http://www.squid-cache.org/ - HIER_NONE/- text/html
1402316047.051      0 192.168.1.100 TCP_MEM_HIT/200 9058 GET http://www.squid-cache.org/ - HIER_NONE/- text/html
1402316047.085      0 192.168.1.100 TCP_MEM_HIT/200 3998 GET http://www.squid-cache.org/default.css - HIER_NONE/- text/css
1402316106.725      0 192.168.1.100 TCP_MEM_HIT/200 11522 GET http://cdn.sstatic.net/Js/stub.en.js? - HIER_NONE/- application/javascript
1402316106.726      2 192.168.1.100 TCP_MEM_HIT/200 33845 GET http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js - HIER_NONE/- text/javascript
1402316106.726      1 192.168.1.100 TCP_MEM_HIT/200 36498 GET http://cdn.sstatic.net/askubuntu/all.css? - HIER_NONE/- text/css
1402316106.766      0 192.168.1.100 TCP_MEM_HIT/200 1718 GET http://cdn.sstatic.net/askubuntu/img/favicon.ico? - HIER_NONE/- image/x-icon
1402316107.029      2 192.168.1.100 TCP_MEM_HIT/200 16099 GET http://cdn.sstatic.net/_fonts/ubuntu/ubuntu-R-webfont.woff? - HIER_NONE/- font/x-woff
1402316107.030      1 192.168.1.100 TCP_MEM_HIT/200 28355 GET http://cdn.sstatic.net/Js/full-anon.en.js? - HIER_NONE/- application/javascript
1402316107.030      2 192.168.1.100 TCP_MEM_HIT/200 44206 GET http://cdn.sstatic.net/_fonts/ubuntu/ubuntu-L-webfont.woff? - HIER_NONE/- font/x-woff
1402316107.176      0 192.168.1.100 TCP_MEM_HIT/200 3275 GET http://cdn.sstatic.net/Js/post-validation.en.js? - HIER_NONE/- application/javascript
 

See those are via the log..  those are cache hits.. But just out of memory not disk..

 

When I get a chance i will walk through the rest of that guide - but sofar is a bit lacking from first couple of commands, maybe that older version had cache on by default?  But you need to edit conf in the current to uncomment it.

Share this post


Link to post
Share on other sites

As to your cache, and why not current??  why are you on 3.3 when 3.4.5 is current?

 

your going to to have to edit conf to enable cache, and then your going to need to do -z so it creates them.. Did you see something like this

 

2014/06/09 06:50:46 kid1| Creating missing swap directories

2014/06/09 06:50:46 kid1| /usr/local/squid/var/cache/squid exists

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/00

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/01

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/02

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/03

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/04

 

Then as to validation of hitting cache - its prob going to just give you mem hits..  I fired up a copy to play iwth

 

root@cleanlinux:/usr/local/squid/var/logs# grep TCP_MEM_HIT /usr/local/squid/var/logs/access.log

1402315681.533      0 127.0.0.1 TCP_MEM_HIT/200 9053 GET http://www.squid-cache.org/ - HIER_NONE/- text/html

1402316047.051      0 192.168.1.100 TCP_MEM_HIT/200 9058 GET http://www.squid-cache.org/ - HIER_NONE/- text/html

1402316047.085      0 192.168.1.100 TCP_MEM_HIT/200 3998 GET http://www.squid-cache.org/default.css - HIER_NONE/- text/css

1402316106.725      0 192.168.1.100 TCP_MEM_HIT/200 11522 GET http://cdn.sstatic.net/Js/stub.en.js? - HIER_NONE/- application/javascript

1402316106.726      2 192.168.1.100 TCP_MEM_HIT/200 33845 GET http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js - HIER_NONE/- text/javascript

1402316106.726      1 192.168.1.100 TCP_MEM_HIT/200 36498 GET http://cdn.sstatic.net/askubuntu/all.css? - HIER_NONE/- text/css

1402316106.766      0 192.168.1.100 TCP_MEM_HIT/200 1718 GET http://cdn.sstatic.net/askubuntu/img/favicon.ico? - HIER_NONE/- image/x-icon

1402316107.029      2 192.168.1.100 TCP_MEM_HIT/200 16099 GET http://cdn.sstatic.net/_fonts/ubuntu/ubuntu-R-webfont.woff? - HIER_NONE/- font/x-woff

1402316107.030      1 192.168.1.100 TCP_MEM_HIT/200 28355 GET http://cdn.sstatic.net/Js/full-anon.en.js? - HIER_NONE/- application/javascript

1402316107.030      2 192.168.1.100 TCP_MEM_HIT/200 44206 GET http://cdn.sstatic.net/_fonts/ubuntu/ubuntu-L-webfont.woff? - HIER_NONE/- font/x-woff

1402316107.176      0 192.168.1.100 TCP_MEM_HIT/200 3275 GET http://cdn.sstatic.net/Js/post-validation.en.js? - HIER_NONE/- application/javascript

 

See those are via the log..  those are cache hits.. But just out of memory not disk..

 

When I get a chance i will walk through the rest of that guide - but sofar is a bit lacking from first couple of commands, maybe that older version had cache on by default?  But you need to edit conf in the current to uncomment it.

I followed the guide on the link it seemed to work well but the cache would never initialise :( ive got all day so il uninstall and try again lol like i said i have cache working in 2.7 but not 3+ its never liked it its why I stuck to 2.7 then hit the SSL wall, i keep trying to find a way to ssl enable using apt-get cause Im lazy and hate waiting for ./configure xD

 

I guess i must just be missing something in the config... i normally go in have my iptables set etc etc and just set http 2128 to transparent and done squid is in charge... with squid3 it wont even let squid block websites the proxy rules dont matter

Share this post


Link to post
Share on other sites

What did you put in the config to block?

 

Its as simple as something like this

 

acl testblock dstdomain neowin.net
http_access deny testblock

 

Then get this

post-14624-0-62082100-1402321779.png

 

 

 

Share this post


Link to post
Share on other sites

What did you put in the config to block?

 

Its as simple as something like this

 

acl testblock dstdomain neowin.net

http_access deny testblock

 

Then get this

attachicon.gifblock.png

ye i get that with 2.7 :P with 3+ it just ignores the proxy apart from the certs, and goes to what ever web pages it pleases im trying again now (sorry for the delayed reply for some reason today everyone in the office needs wireless APs configured its like my 6th one in an hour)

Share this post


Link to post
Share on other sites

ye i get that with 2.7 :p with 3+ it just ignores the proxy apart from the certs, and goes to what ever web pages it pleases im trying again now (sorry for the delayed reply for some reason today everyone in the office needs wireless APs configured its like my 6th one in an hour)

 

 

Sounds like a managed wireless system is needed rather than indervidual ap's

Share this post


Link to post
Share on other sites

Sounds like a managed wireless system is needed rather than indervidual ap's

haha nahh different departments and technologies they are not for the general staff use lol

 

but yea anyway i am getting this

Initializing the Squid cache with the command /usr/local/squid/sbin/squid -f /usr/local/squid/etc/squid.conf -z ..

2014/06/09 16:04:15 kid1| Set Current Directory to /usr/local/squid/var/cache/squid

2014/06/09 16:04:15 kid1| Creating missing swap directories

2014/06/09 16:04:15 kid1| No cache_dir stores are configured.

Share this post


Link to post
Share on other sites

i am sorry to add this as its a bit of a hijack but

 

can you use squid to block a custom list of websites and it will only affect those computer pointed at the proxy?

Share this post


Link to post
Share on other sites

That command is not working.. Or you would of seen stuff like I posted

2014/06/09 06:50:46 kid1| Creating missing swap directories

2014/06/09 06:50:46 kid1| /usr/local/squid/var/cache/squid exists

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/00

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/01

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/02

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/03

You prob have a permissions issue.. or you didn't configure the .conf

2014/06/09 16:04:15 kid1| No cache_dir stores are configured.

did you uncomment the line I pointed to before in your .conf

# Uncomment and adjust the following to add a disk cache directory.

cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

as to using squid, yeah if you are using explicit mode - ie pointing to the proxy, then only those applications that point to the proxy would be subject to any acls you have setup.

Share this post


Link to post
Share on other sites

That command is not working.. Or you would of seen stuff like I posted

2014/06/09 06:50:46 kid1| Creating missing swap directories

2014/06/09 06:50:46 kid1| /usr/local/squid/var/cache/squid exists

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/00

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/01

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/02

2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/03

You prob have a permissions issue..

 

 

i managed to get this in the end, but once i did the ssl part of the walk everything stopped working again :@ my block lists dont work

 

i am sorry to add this as its a bit of a hijack but

 

can you use squid to block a custom list of websites and it will only affect those computer pointed at the proxy?

 

yes you can, but i use a whitelist rather then black, with squid if you have ur linux set as a router with the squid sat on the linux router and pass everything through it you can select what clients the rules apply to.

Share this post


Link to post
Share on other sites

Well he seems to have a bit of info not quite right in that walkthru, like the conf part, the chown is wrong, etc. When get a chance will walk through the rest of it and validate.

If I were you I would go with 3.4.5.. Always best to be current when working out any issues, etc.

Share this post


Link to post
Share on other sites

Well he seems to have a bit of info not quite right in that walkthru, like the conf part, the chown is wrong, etc. When get a chance will walk through the rest of it and validate.

If I were you I would go with 3.4.5.. Always best to be current when working out any issues, etc.

A walk through would be amazing, and I am now using 3.4.5 the only thing that confuses me is that after I install the SSL stuff the proxy doesnt work anymore...even if i change everything i changed back :/ this is just stressfull lol. cheers budman

Share this post


Link to post
Share on other sites

Awesome thanksgot it working and blocking

 

saves me having to use opendns now

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.