Original Poster Posted June 6, 2014 Share Posted June 6, 2014 does anyone know how to configure https for squid 2.7? I cannot seem to get it working and im looking online and nothing seems to be helping I have set up the firewall to forward on 443 to port 3130 to the squid proxy... and I have set up certificates :( gaahhh help me people!!! this is buggingg meee Link to comment Share on other sites More sharing options...
Original Poster Posted June 6, 2014 Author Share Posted June 6, 2014 im not trying to block https... I am trying to get squid to allow https through its self... so I can then control access to websites... the access and the HTTP was easy...but I cannot seem to get https to work, this is a squid matter Link to comment Share on other sites More sharing options...
Haggis Veteran Posted June 6, 2014 Veteran Share Posted June 6, 2014 i dont know a lot about squid but does this help? http://stackoverflow.com/questions/13151192/how-to-configure-https-support-in-squid3 Link to comment Share on other sites More sharing options...
Original Poster Posted June 6, 2014 Author Share Posted June 6, 2014 i dont know a lot about squid but does this help? http://stackoverflow.com/questions/13151192/how-to-configure-https-support-in-squid3 thanks but no :( sadly I ive tried so many things to get this working and i dont know why it isnt if there is a squid expert id be happy to share my full config Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 7, 2014 MVC Share Posted June 7, 2014 So you are trying to filter via transparent proxy vs explicit proxy (ie set on the browser to point to the proxy) if I recall correctly that is not even possible with 2.7.. Why would you be running such an old version of squid? I believe with 3.1 you can use SSLBump - or Squid in the Middle ;) http://wiki.squid-cache.org/Features/SslBump 2.7 is from what 2008?? 3.4 is current. Link to comment Share on other sites More sharing options...
Original Poster Posted June 7, 2014 Author Share Posted June 7, 2014 So you are trying to filter via transparent proxy vs explicit proxy (ie set on the browser to point to the proxy) if I recall correctly that is not even possible with 2.7.. Why would you be running such an old version of squid? I believe with 3.1 you can use SSLBump - or Squid in the Middle ;) http://wiki.squid-cache.org/Features/SslBump 2.7 is from what 2008?? 3.4 is current. the browser does not point there not the linux (debian) acts as a router and eth0 (the network) is routed to eth1("wan") http is then cached and blocked via squid and now im trying https... I thought I had it set up right using crts and keys on port 3130 (http 3128) but it just keeps saying no connection can be made... the routing via squid is done using IP tables and obviously the connection of the network is done using route I tried using squid 3.1 but it kept saying the cacheing was not intialised and i couldnt get the SSLbump to work (im assuming I have to install it with enable_ssl? ) but i could never get it :((((((((((((( 1 million sadfaces... ive looked at every single guide going and have found little that can help me....my http caching works perfectly btw I know its a simple MiTM, but i have never done one using certs only forced people of SSL but SSL is required :( Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 7, 2014 MVC Share Posted June 7, 2014 Again -- I do not believe 2.7 even supports sslbump.. You need to be running at min 3.1, which is when that was introduced. Somethings say doesn't really work until 3.2, etc.. Why don't you just install the current 3.4? Here is a walk through setting up 3.3.10 on debian http://pen-testing-lab.blogspot.com/2013/11/squid-3310-transparent-proxy-for-http.html I would go with the above walk through but using the current source which I believe is 3.4.5 Link to comment Share on other sites More sharing options...
Original Poster Posted June 7, 2014 Author Share Posted June 7, 2014 Again -- I do not believe 2.7 even supports sslbump.. You need to be running at min 3.1, which is when that was introduced. Somethings say doesn't really work until 3.2, etc.. Why don't you just install the current 3.4? Here is a walk through setting up 3.3.10 on debian http://pen-testing-lab.blogspot.com/2013/11/squid-3310-transparent-proxy-for-http.html I would go with the above walk through but using the current source which I believe is 3.4.5 thanks budman :) I will give this a try monday and post back my results :) (im away for the weekend) Link to comment Share on other sites More sharing options...
Original Poster Posted June 9, 2014 Author Share Posted June 9, 2014 Again -- I do not believe 2.7 even supports sslbump.. You need to be running at min 3.1, which is when that was introduced. Somethings say doesn't really work until 3.2, etc.. Why don't you just install the current 3.4? Here is a walk through setting up 3.3.10 on debian http://pen-testing-lab.blogspot.com/2013/11/squid-3310-transparent-proxy-for-http.html I would go with the above walk through but using the current source which I believe is 3.4.5 cheers i got it working! though there is the small issue of google chrome refusing the connection completely because it obviously doesn't trust the certificate, any suggestion to over come it? Link to comment Share on other sites More sharing options...
Original Poster Posted June 9, 2014 Author Share Posted June 9, 2014 cheers i got it working! though there is the small issue of google chrome refusing the connection completely because it obviously doesn't trust the certificate, any suggestion to over come it? this isnt even worst of my problems now the http caching isnt working :@ :'( Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 9, 2014 MVC Share Posted June 9, 2014 what do you need caching for in the first place - nothing is static these days ;) What version did you install? What OS are you installing it on? If you want to do MITM, then yeah the browser has to trust the cert your going to present.. Install the CA root in the browser of the cert your using. Looking that the steps a bit deeper on that guide, did your cache get created correctly.. I don't think it would work with those chown only in the log section. Did you edit the .conf to enable chace? # Uncomment and adjust the following to add a disk cache directory.cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 Pretty sure its commented out by default.. etc.. Link to comment Share on other sites More sharing options...
Original Poster Posted June 9, 2014 Author Share Posted June 9, 2014 what do you need caching for in the first place - nothing is static these days ;) What version did you install? What OS are you installing it on? If you want to do MITM, then yeah the browser has to trust the cert your going to present.. Install the CA root in the browser of the cert your using. im fine with the MiTM right now lol i can fix that later ... im on 3.3.11 squid, using debian... I know nothing is static now days xD but my tests show that it is beneficial, either way I need it, plus it appears im getting an error "error no forward-proxy ports configured" Link to comment Share on other sites More sharing options...
The_Decryptor Veteran Posted June 9, 2014 Veteran Share Posted June 9, 2014 cheers i got it working! though there is the small issue of google chrome refusing the connection completely because it obviously doesn't trust the certificate, any suggestion to over come it? Yeah, you'll need to disable certificate pinning (if it's even possible), it's an extra layer of security and it's picking up on your "attack". Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 9, 2014 MVC Share Posted June 9, 2014 As to your cache, and why not current?? why are you on 3.3 when 3.4.5 is current? your going to to have to edit conf to enable cache, and then your going to need to do -z so it creates them.. Did you see something like this 2014/06/09 06:50:46 kid1| Creating missing swap directories2014/06/09 06:50:46 kid1| /usr/local/squid/var/cache/squid exists2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/002014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/012014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/022014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/032014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/04 Then as to validation of hitting cache - its prob going to just give you mem hits.. I fired up a copy to play iwth root@cleanlinux:/usr/local/squid/var/logs# grep TCP_MEM_HIT /usr/local/squid/var/logs/access.log1402315681.533 0 127.0.0.1 TCP_MEM_HIT/200 9053 GET http://www.squid-cache.org/ - HIER_NONE/- text/html 1402316047.051 0 192.168.1.100 TCP_MEM_HIT/200 9058 GET http://www.squid-cache.org/ - HIER_NONE/- text/html 1402316047.085 0 192.168.1.100 TCP_MEM_HIT/200 3998 GET http://www.squid-cache.org/default.css - HIER_NONE/- text/css 1402316106.725 0 192.168.1.100 TCP_MEM_HIT/200 11522 GET http://cdn.sstatic.net/Js/stub.en.js? - HIER_NONE/- application/javascript 1402316106.726 2 192.168.1.100 TCP_MEM_HIT/200 33845 GET http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js - HIER_NONE/- text/javascript 1402316106.726 1 192.168.1.100 TCP_MEM_HIT/200 36498 GET http://cdn.sstatic.net/askubuntu/all.css? - HIER_NONE/- text/css 1402316106.766 0 192.168.1.100 TCP_MEM_HIT/200 1718 GET http://cdn.sstatic.net/askubuntu/img/favicon.ico? - HIER_NONE/- image/x-icon 1402316107.029 2 192.168.1.100 TCP_MEM_HIT/200 16099 GET http://cdn.sstatic.net/_fonts/ubuntu/ubuntu-R-webfont.woff? - HIER_NONE/- font/x-woff 1402316107.030 1 192.168.1.100 TCP_MEM_HIT/200 28355 GET http://cdn.sstatic.net/Js/full-anon.en.js? - HIER_NONE/- application/javascript 1402316107.030 2 192.168.1.100 TCP_MEM_HIT/200 44206 GET http://cdn.sstatic.net/_fonts/ubuntu/ubuntu-L-webfont.woff? - HIER_NONE/- font/x-woff 1402316107.176 0 192.168.1.100 TCP_MEM_HIT/200 3275 GET http://cdn.sstatic.net/Js/post-validation.en.js? - HIER_NONE/- application/javascript See those are via the log.. those are cache hits.. But just out of memory not disk.. When I get a chance i will walk through the rest of that guide - but sofar is a bit lacking from first couple of commands, maybe that older version had cache on by default? But you need to edit conf in the current to uncomment it. Link to comment Share on other sites More sharing options...
Original Poster Posted June 9, 2014 Author Share Posted June 9, 2014 As to your cache, and why not current?? why are you on 3.3 when 3.4.5 is current? your going to to have to edit conf to enable cache, and then your going to need to do -z so it creates them.. Did you see something like this 2014/06/09 06:50:46 kid1| Creating missing swap directories 2014/06/09 06:50:46 kid1| /usr/local/squid/var/cache/squid exists 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/00 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/01 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/02 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/03 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/04 Then as to validation of hitting cache - its prob going to just give you mem hits.. I fired up a copy to play iwth root@cleanlinux:/usr/local/squid/var/logs# grep TCP_MEM_HIT /usr/local/squid/var/logs/access.log 1402315681.533 0 127.0.0.1 TCP_MEM_HIT/200 9053 GET http://www.squid-cache.org/ - HIER_NONE/- text/html 1402316047.051 0 192.168.1.100 TCP_MEM_HIT/200 9058 GET http://www.squid-cache.org/ - HIER_NONE/- text/html 1402316047.085 0 192.168.1.100 TCP_MEM_HIT/200 3998 GET http://www.squid-cache.org/default.css - HIER_NONE/- text/css 1402316106.725 0 192.168.1.100 TCP_MEM_HIT/200 11522 GET http://cdn.sstatic.net/Js/stub.en.js? - HIER_NONE/- application/javascript 1402316106.726 2 192.168.1.100 TCP_MEM_HIT/200 33845 GET http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js - HIER_NONE/- text/javascript 1402316106.726 1 192.168.1.100 TCP_MEM_HIT/200 36498 GET http://cdn.sstatic.net/askubuntu/all.css? - HIER_NONE/- text/css 1402316106.766 0 192.168.1.100 TCP_MEM_HIT/200 1718 GET http://cdn.sstatic.net/askubuntu/img/favicon.ico? - HIER_NONE/- image/x-icon 1402316107.029 2 192.168.1.100 TCP_MEM_HIT/200 16099 GET http://cdn.sstatic.net/_fonts/ubuntu/ubuntu-R-webfont.woff? - HIER_NONE/- font/x-woff 1402316107.030 1 192.168.1.100 TCP_MEM_HIT/200 28355 GET http://cdn.sstatic.net/Js/full-anon.en.js? - HIER_NONE/- application/javascript 1402316107.030 2 192.168.1.100 TCP_MEM_HIT/200 44206 GET http://cdn.sstatic.net/_fonts/ubuntu/ubuntu-L-webfont.woff? - HIER_NONE/- font/x-woff 1402316107.176 0 192.168.1.100 TCP_MEM_HIT/200 3275 GET http://cdn.sstatic.net/Js/post-validation.en.js? - HIER_NONE/- application/javascript See those are via the log.. those are cache hits.. But just out of memory not disk.. When I get a chance i will walk through the rest of that guide - but sofar is a bit lacking from first couple of commands, maybe that older version had cache on by default? But you need to edit conf in the current to uncomment it. I followed the guide on the link it seemed to work well but the cache would never initialise :( ive got all day so il uninstall and try again lol like i said i have cache working in 2.7 but not 3+ its never liked it its why I stuck to 2.7 then hit the SSL wall, i keep trying to find a way to ssl enable using apt-get cause Im lazy and hate waiting for ./configure xD I guess i must just be missing something in the config... i normally go in have my iptables set etc etc and just set http 2128 to transparent and done squid is in charge... with squid3 it wont even let squid block websites the proxy rules dont matter Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 9, 2014 MVC Share Posted June 9, 2014 What did you put in the config to block? Its as simple as something like this acl testblock dstdomain neowin.nethttp_access deny testblock Then get this Link to comment Share on other sites More sharing options...
Original Poster Posted June 9, 2014 Author Share Posted June 9, 2014 What did you put in the config to block? Its as simple as something like this acl testblock dstdomain neowin.net http_access deny testblock Then get this block.png ye i get that with 2.7 :P with 3+ it just ignores the proxy apart from the certs, and goes to what ever web pages it pleases im trying again now (sorry for the delayed reply for some reason today everyone in the office needs wireless APs configured its like my 6th one in an hour) Link to comment Share on other sites More sharing options...
dragon2611 Posted June 9, 2014 Share Posted June 9, 2014 ye i get that with 2.7 :p with 3+ it just ignores the proxy apart from the certs, and goes to what ever web pages it pleases im trying again now (sorry for the delayed reply for some reason today everyone in the office needs wireless APs configured its like my 6th one in an hour) Sounds like a managed wireless system is needed rather than indervidual ap's Link to comment Share on other sites More sharing options...
Original Poster Posted June 9, 2014 Author Share Posted June 9, 2014 Sounds like a managed wireless system is needed rather than indervidual ap's haha nahh different departments and technologies they are not for the general staff use lol but yea anyway i am getting this Initializing the Squid cache with the command /usr/local/squid/sbin/squid -f /usr/local/squid/etc/squid.conf -z .. 2014/06/09 16:04:15 kid1| Set Current Directory to /usr/local/squid/var/cache/squid 2014/06/09 16:04:15 kid1| Creating missing swap directories 2014/06/09 16:04:15 kid1| No cache_dir stores are configured. Link to comment Share on other sites More sharing options...
Haggis Veteran Posted June 9, 2014 Veteran Share Posted June 9, 2014 i am sorry to add this as its a bit of a hijack but can you use squid to block a custom list of websites and it will only affect those computer pointed at the proxy? Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 9, 2014 MVC Share Posted June 9, 2014 That command is not working.. Or you would of seen stuff like I posted 2014/06/09 06:50:46 kid1| Creating missing swap directories 2014/06/09 06:50:46 kid1| /usr/local/squid/var/cache/squid exists 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/00 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/01 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/02 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/03 You prob have a permissions issue.. or you didn't configure the .conf 2014/06/09 16:04:15 kid1| No cache_dir stores are configured. did you uncomment the line I pointed to before in your .conf # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256 as to using squid, yeah if you are using explicit mode - ie pointing to the proxy, then only those applications that point to the proxy would be subject to any acls you have setup. Link to comment Share on other sites More sharing options...
Original Poster Posted June 9, 2014 Author Share Posted June 9, 2014 That command is not working.. Or you would of seen stuff like I posted 2014/06/09 06:50:46 kid1| Creating missing swap directories 2014/06/09 06:50:46 kid1| /usr/local/squid/var/cache/squid exists 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/00 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/01 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/02 2014/06/09 06:50:46 kid1| Making directories in /usr/local/squid/var/cache/squid/03 You prob have a permissions issue.. i managed to get this in the end, but once i did the ssl part of the walk everything stopped working again :@ my block lists dont work i am sorry to add this as its a bit of a hijack but can you use squid to block a custom list of websites and it will only affect those computer pointed at the proxy? yes you can, but i use a whitelist rather then black, with squid if you have ur linux set as a router with the squid sat on the linux router and pass everything through it you can select what clients the rules apply to. Link to comment Share on other sites More sharing options...
+BudMan MVC Posted June 9, 2014 MVC Share Posted June 9, 2014 Well he seems to have a bit of info not quite right in that walkthru, like the conf part, the chown is wrong, etc. When get a chance will walk through the rest of it and validate. If I were you I would go with 3.4.5.. Always best to be current when working out any issues, etc. Link to comment Share on other sites More sharing options...
Original Poster Posted June 9, 2014 Author Share Posted June 9, 2014 Well he seems to have a bit of info not quite right in that walkthru, like the conf part, the chown is wrong, etc. When get a chance will walk through the rest of it and validate. If I were you I would go with 3.4.5.. Always best to be current when working out any issues, etc. A walk through would be amazing, and I am now using 3.4.5 the only thing that confuses me is that after I install the SSL stuff the proxy doesnt work anymore...even if i change everything i changed back :/ this is just stressfull lol. cheers budman Link to comment Share on other sites More sharing options...
Haggis Veteran Posted June 9, 2014 Veteran Share Posted June 9, 2014 Awesome thanksgot it working and blocking saves me having to use opendns now Link to comment Share on other sites More sharing options...
Recommended Posts