Squid cache - Ssl-Bump for https_port intercept

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

Squid cache - Ssl-Bump for https_port intercept

This post has NOT been accepted by the mailing list yet.

First of all, I am on it since 8 days, I dont understand what happens and I definitely don't know to resolve my problem.
All my google's searchs didn't give me any working solution.

I have a GUEST Network with a captiv portal on a PfSense firewall.
This GUEST network is used by externals and I can't configure their devices.
I want to configure a transparent proxy to filter HTTP and HTTPS traffic.
My local proxy is a kid of parent proxy.

Here the steps I have done :
A client device is connecter to the GUEST Network.
I Configure mnually the proxy in the web browser : HTTP and HTTPS is filtered.

Now, I remove this manual configuration from the web browser.
The client device can go on everywite you want, HTTP and HTTPS is no filtered.

Now, I configure my firewall to port forward : 80 to 3130 of my squid.
And I configure transparent proxy for HTTP only in the squid.conf.
By the way, "http_port 3130 intercept" doesnt work but "http_port 3130 accel" works fine.
The HTTP is filtered for the client, well done. The local proxy forwards to parent proxy.
But the HTTPS is no filtered and is open bar.

Now, configure my firewall to port forward : 443 to 3131 of my squid.
I configure transparent proxy for HTTPS with ssl-bump in my squid.
I created a key, a csr and a certificate.
Configured squid.conf for "https_port 3131 intercept ssl-bump(...)"
On the client, all HTTP and HTTPS is now blocked ! Fail...

The error on the web browser is :
The website doesn't accept the connection

Help me please...

My squid.conf :

acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

# Squid normally listens to port 3128
http_port 3128
http_port 3130 accel
http_port 3131 intercept ssl-bump generate-host-certificates=off dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/proxy.cert key=/etc/squid/ssl/proxy.key

ssl_bump bump all