Squid as a transparent proxy over ssl https.

Setting up squid as a transparent proxy is fairly an easy job. If we Google for “how to set up squid as a transparent proxy” Google renders a lots of links for our reference. But it is commonly seen that when we are using transparent proxy we are unable to connect to https connection like Gmail and many more sites which https protocol for security concern. Sites which use http protocol can easily open.

Let’s understand first how squid proxy works in transparent mode. While setting up squid as a transparent proxy we can forward the entire request coming from port 80 to squid server’s port i.e. 3128 by default. When we talk about port 80 it means http protocol. What if we request for Gmail who uses https protocol and this protocol by default send request to port 443 of squid’s port, and we iptable firewall rules to forward traffic from port 80 to port 3128 and we forget about port 443 which is used by https protocol and squid is http proxy server. Now many folks may think it’s easy and forward all traffic coming from port 443 to squid port 3128.  No it won’t work.  Because https connection establishes a secure connection over the network and for that it uses certificate and public key private key pairs. And first of all I thanks God for RSA and DSA algorithm as it is not so easy to decrypt data which is encrypted by use of this algorithm. Squid proxy is a middle man who changes packets header and route traffic to internet world. So what we have to do is to create certificate and public key private key pair for internal network which can be used by squid client and squid server and later squid server can route your traffic to internet world. To yield faster results it is better to sign certificate from CA. self signed certificates are little bit slowing the connection. As in a transparent mode encryption and decryption done twice so it may yields result slow so I advised you to keep patience.

Steps are:

  1. iptables  -t nat -A PREROUTING -i eth0  -p tcp --dport 80 -j REDIRECT --to-port 3128
  2. iptables  -t nat -A PREROUTING  -i eth0 -p tcp --dport  443 -j REDIRECT --to-port 3130

Certificate and public key private key generation.

  1. openssl genrsa -des3 -out server. Key 1024
  2. openssl req -new –key -out server.csr
  3. openssl req -new -key server. Key -out server.csr

Steps to remove passphrase

  1. cp server. Key server. Key.old
  2. openssl rsa -in server. Key.org -out server. Key

Create server certificate

Openssl x509 -req -days 365 -in  server.csr -sign.key -out server.crt

Now make some changes to squid.conf file

  1. http_port 3128 transparent
  2. https_port 3130 transparent cert=/”path to server.crt” key=/”path to server.key”.

Another easy way to create certificates and public key private key pair is using genkey utility. In order to use that you have crypto-utils package install on your machine.

Steps are:

  1. #yum -y install crypto-utils
  2. genkey -days 365 squidserver.hostname.com
  3. Hit next.
  4. Select number of bits for data encryption. Default is 1024. This command will generate random bits.
  5. Generate the certificate.
  6. I will suggest you to never used passphrase for key, because if u assigns passphrase to key then along with public key we need to share passphrase.
  7. Certificate and key are stored at /etc/pki/tls/certs/ and /etc/pki/tls/private/
  8. In squid.conf make necessary change like this

http_port 3128 transparent

https_port 3130 transparent cert=/etc/pki/tls/certs/squidserver.hostname.com.crt key=/etc/pki/tls/private/squidserver.hostname.com.key.

In order to run it in a proper way the desired way that we want we also need to configure BIND DNS for local intranet along with forwarders ON and in forwarder we need to define ISP IP Address. At Client side must define both gateway and DNS (In my Env it is Proxy server.)

Comments

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options