Jump to content



Photo

Squid https?


  • Please log in to reply
37 replies to this topic

#1 Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 06 June 2014 - 09:53

does anyone know how to configure https for squid 2.7? I cannot seem to get it working and im looking online and nothing seems to be helping

 

 

I have set up the firewall to forward on 443 to port 3130 to the squid proxy... and I have set up certificates  :( gaahhh help me people!!! this is buggingg meee




#2 OP Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 06 June 2014 - 15:24

im not trying to block https... I am trying to get squid to allow https through its self... so I can then control access to websites... the access and the HTTP was easy...but I cannot seem to get https to work, this is a squid matter



#3 Haggis

Haggis

    Neowinian Senior

  • Tech Issues Solved: 10
  • Joined: 13-June 07
  • Location: Near Stirling, Scotland
  • OS: Debian 7
  • Phone: Samsung Galaxy S3 LTE (i9305)

Posted 06 June 2014 - 15:43

i dont know a lot about squid but does this help?

 

http://stackoverflow...pport-in-squid3



#4 OP Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 06 June 2014 - 15:56

i dont know a lot about squid but does this help?

 

http://stackoverflow...pport-in-squid3

thanks but no :( sadly I ive tried so many things to get this working and i dont know why it isnt if there is a squid expert id be happy to share my full config



#5 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 07 June 2014 - 11:50

So you are trying to filter via transparent proxy vs explicit proxy (ie set on the browser to point to the proxy)

 

if I recall correctly that is not even possible with 2.7..  Why would you be running such an old version of squid?  I believe with 3.1 you can use SSLBump - or Squid in the Middle ;)

 

http://wiki.squid-ca...eatures/SslBump

 

2.7 is from what 2008??  3.4 is current.



#6 OP Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 07 June 2014 - 12:55

So you are trying to filter via transparent proxy vs explicit proxy (ie set on the browser to point to the proxy)

 

if I recall correctly that is not even possible with 2.7..  Why would you be running such an old version of squid?  I believe with 3.1 you can use SSLBump - or Squid in the Middle ;)

 

http://wiki.squid-ca...eatures/SslBump

 

2.7 is from what 2008??  3.4 is current.

 

 

the browser does not point there not the linux (debian) acts as a router and eth0 (the network) is routed to eth1("wan") http is then cached and blocked via squid and now im trying https... I thought I had it set up right using crts and keys on port 3130 (http 3128) but it just keeps saying no connection can be made... 

 

the routing via squid is done using IP tables and obviously the connection of the network is done using route 

 

I tried using squid 3.1 but it kept saying the cacheing was not intialised and  i couldnt get the SSLbump to work (im assuming I have to install it with enable_ssl? ) but i could never get it :((((((((((((( 1 million sadfaces... ive looked at every single guide going and have found little that can help me....my http caching works perfectly btw I know its a simple MiTM, but i have never done one using certs only forced people of SSL but SSL is required :(



#7 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 07 June 2014 - 13:01

Again -- I do not believe 2.7 even supports sslbump..  You need to be running at min 3.1, which is when that was introduced.  Somethings say doesn't really work until 3.2, etc..

 

Why don't you just install the current 3.4? 

 

Here is a walk through setting up 3.3.10 on debian

http://pen-testing-l...y-for-http.html

 

I would go with the above walk through but using the current source which I believe is 3.4.5



#8 OP Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 07 June 2014 - 13:10

Again -- I do not believe 2.7 even supports sslbump..  You need to be running at min 3.1, which is when that was introduced.  Somethings say doesn't really work until 3.2, etc..

 

Why don't you just install the current 3.4? 

 

Here is a walk through setting up 3.3.10 on debian

http://pen-testing-l...y-for-http.html

 

I would go with the above walk through but using the current source which I believe is 3.4.5

 

thanks budman :) I will give this a try monday and post back my results :) (im away for the weekend)



#9 OP Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 09 June 2014 - 10:04

Again -- I do not believe 2.7 even supports sslbump..  You need to be running at min 3.1, which is when that was introduced.  Somethings say doesn't really work until 3.2, etc..

 

Why don't you just install the current 3.4? 

 

Here is a walk through setting up 3.3.10 on debian

http://pen-testing-l...y-for-http.html

 

I would go with the above walk through but using the current source which I believe is 3.4.5

cheers i got it working! though there is the small issue of google chrome refusing the connection completely because it obviously doesn't trust the certificate, any suggestion to over come it?



#10 OP Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 09 June 2014 - 10:55

cheers i got it working! though there is the small issue of google chrome refusing the connection completely because it obviously doesn't trust the certificate, any suggestion to over come it?

this isnt even worst of my problems now the http caching isnt working :@ :'(



#11 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 09 June 2014 - 11:05

what do you need caching for in the first place - nothing is static these days ;)

 

What version did you install?  What OS are you installing it on?

 

If you want to do MITM, then yeah the browser has to trust the cert your going to present.. Install the CA root in the browser of the cert your  using.

 

Looking that the steps a bit deeper on that guide, did your cache get created correctly..  I don't think it would work with those chown only in the log section.  Did you edit the .conf to enable chace?

 

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256
 

Pretty sure its commented out by default.. etc..



#12 OP Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 09 June 2014 - 12:05

what do you need caching for in the first place - nothing is static these days ;)

 

What version did you install?  What OS are you installing it on?

 

If you want to do MITM, then yeah the browser has to trust the cert your going to present.. Install the CA root in the browser of the cert your  using.

 

im fine with the MiTM right now lol i can fix that later ... im on 3.3.11 squid, using debian... I know nothing is static now days xD but my tests show that it is beneficial, either way I need it, plus it appears im getting an error "error no forward-proxy ports configured"



#13 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • Tech Issues Solved: 4
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 09 June 2014 - 12:12

cheers i got it working! though there is the small issue of google chrome refusing the connection completely because it obviously doesn't trust the certificate, any suggestion to over come it?


Yeah, you'll need to disable certificate pinning (if it's even possible), it's an extra layer of security and it's picking up on your "attack".

#14 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 89
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 09 June 2014 - 12:22

As to your cache, and why not current??  why are you on 3.3 when 3.4.5 is current?

 

your going to to have to edit conf to enable cache, and then your going to need to do -z so it creates them.. Did you see something like this

 

2014/06/09 06:50:46 kid1| Creating missing swap directories
2014/06/09 06:50:46 kid1| /usr/local/squid/var/cache/squid exists
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/00
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/01
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/02
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/03
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/04
 

Then as to validation of hitting cache - its prob going to just give you mem hits..  I fired up a copy to play iwth

 

root@cleanlinux:/usr/local/squid/var/logs# grep TCP_MEM_HIT /usr/local/squid/var/logs/access.log
1402315681.533      0 127.0.0.1 TCP_MEM_HIT/200 9053 GET http://www.squid-cache.org/ - HIER_NONE/- text/html
1402316047.051      0 192.168.1.100 TCP_MEM_HIT/200 9058 GET http://www.squid-cache.org/ - HIER_NONE/- text/html
1402316047.085      0 192.168.1.100 TCP_MEM_HIT/200 3998 GET http://www.squid-cache.org/default.css - HIER_NONE/- text/css
1402316106.725      0 192.168.1.100 TCP_MEM_HIT/200 11522 GET http://cdn.sstatic.net/Js/stub.en.js? - HIER_NONE/- application/javascript
1402316106.726      2 192.168.1.100 TCP_MEM_HIT/200 33845 GET http://ajax.googleap...1/jquery.min.js - HIER_NONE/- text/javascript
1402316106.726      1 192.168.1.100 TCP_MEM_HIT/200 36498 GET http://cdn.sstatic.n...ubuntu/all.css? - HIER_NONE/- text/css
1402316106.766      0 192.168.1.100 TCP_MEM_HIT/200 1718 GET http://cdn.sstatic.n...mg/favicon.ico? - HIER_NONE/- image/x-icon
1402316107.029      2 192.168.1.100 TCP_MEM_HIT/200 16099 GET http://cdn.sstatic.n...R-webfont.woff? - HIER_NONE/- font/x-woff
1402316107.030      1 192.168.1.100 TCP_MEM_HIT/200 28355 GET http://cdn.sstatic.n...ull-anon.en.js? - HIER_NONE/- application/javascript
1402316107.030      2 192.168.1.100 TCP_MEM_HIT/200 44206 GET http://cdn.sstatic.n...L-webfont.woff? - HIER_NONE/- font/x-woff
1402316107.176      0 192.168.1.100 TCP_MEM_HIT/200 3275 GET http://cdn.sstatic.n...lidation.en.js? - HIER_NONE/- application/javascript
 

See those are via the log..  those are cache hits.. But just out of memory not disk..

 

When I get a chance i will walk through the rest of that guide - but sofar is a bit lacking from first couple of commands, maybe that older version had cache on by default?  But you need to edit conf in the current to uncomment it.



#15 OP Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 09 June 2014 - 13:17

As to your cache, and why not current??  why are you on 3.3 when 3.4.5 is current?

 

your going to to have to edit conf to enable cache, and then your going to need to do -z so it creates them.. Did you see something like this

 

2014/06/09 06:50:46 kid1| Creating missing swap directories
2014/06/09 06:50:46 kid1| /usr/local/squid/var/cache/squid exists
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/00
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/01
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/02
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/03
2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/04
 

Then as to validation of hitting cache - its prob going to just give you mem hits..  I fired up a copy to play iwth

 

root@cleanlinux:/usr/local/squid/var/logs# grep TCP_MEM_HIT /usr/local/squid/var/logs/access.log
1402315681.533      0 127.0.0.1 TCP_MEM_HIT/200 9053 GET http://www.squid-cache.org/ - HIER_NONE/- text/html
1402316047.051      0 192.168.1.100 TCP_MEM_HIT/200 9058 GET http://www.squid-cache.org/ - HIER_NONE/- text/html
1402316047.085      0 192.168.1.100 TCP_MEM_HIT/200 3998 GET http://www.squid-cache.org/default.css - HIER_NONE/- text/css
1402316106.725      0 192.168.1.100 TCP_MEM_HIT/200 11522 GET http://cdn.sstatic.net/Js/stub.en.js? - HIER_NONE/- application/javascript
1402316106.726      2 192.168.1.100 TCP_MEM_HIT/200 33845 GET http://ajax.googleap...1/jquery.min.js - HIER_NONE/- text/javascript
1402316106.726      1 192.168.1.100 TCP_MEM_HIT/200 36498 GET http://cdn.sstatic.n...ubuntu/all.css? - HIER_NONE/- text/css
1402316106.766      0 192.168.1.100 TCP_MEM_HIT/200 1718 GET http://cdn.sstatic.n...mg/favicon.ico? - HIER_NONE/- image/x-icon
1402316107.029      2 192.168.1.100 TCP_MEM_HIT/200 16099 GET http://cdn.sstatic.n...R-webfont.woff? - HIER_NONE/- font/x-woff
1402316107.030      1 192.168.1.100 TCP_MEM_HIT/200 28355 GET http://cdn.sstatic.n...ull-anon.en.js? - HIER_NONE/- application/javascript
1402316107.030      2 192.168.1.100 TCP_MEM_HIT/200 44206 GET http://cdn.sstatic.n...L-webfont.woff? - HIER_NONE/- font/x-woff
1402316107.176      0 192.168.1.100 TCP_MEM_HIT/200 3275 GET http://cdn.sstatic.n...lidation.en.js? - HIER_NONE/- application/javascript
 

See those are via the log..  those are cache hits.. But just out of memory not disk..

 

When I get a chance i will walk through the rest of that guide - but sofar is a bit lacking from first couple of commands, maybe that older version had cache on by default?  But you need to edit conf in the current to uncomment it.

I followed the guide on the link it seemed to work well but the cache would never initialise :( ive got all day so il uninstall and try again lol like i said i have cache working in 2.7 but not 3+ its never liked it its why I stuck to 2.7 then hit the SSL wall, i keep trying to find a way to ssl enable using apt-get cause Im lazy and hate waiting for ./configure xD

 

I guess i must just be missing something in the config... i normally go in have my iptables set etc etc and just set http 2128 to transparent and done squid is in charge... with squid3 it wont even let squid block websites the proxy rules dont matter