squid mitm

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

squid mitm

Niels Hofmans
Hi guys,

I am trying to setup squid with TLS intercaption on Docker in an alpine linux image.

My configuration is as follows:

access_log /dev/stdout

https_port 0.0.0.0:3128 \
intercept \
ssl-bump \
cert=/ca.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=500MB

sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl.db -M 100MB
sslcrtd_children 5

ssl_bump server-first all
sslproxy_cert_error allow all

And the Dockerfile:

FROM alpine

RUN apk add -U --no-cache squid
COPY cmd/config/ca.pem cmd/config/squid.conf /
RUN mkdir -p /cache \
&& /usr/lib/squid/security_file_certgen -c -s /cache/ssl.db -M 100MB

EXPOSE 3128
ENTRYPOINT ["/usr/sbin/squid”, “-f”, "/squid.conf”]

However, this always exits with following error:

proxy_1       | [00] 2020/11/18 15:38:27| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback.
proxy_1       | [00] 2020/11/18 15:38:27| FATAL: No valid signing certificate configured for HTTPS_port 0.0.0.0:3128
proxy_1       | [00] 2020/11/18 15:38:27| Squid Cache (Version 4.13): Terminated abnormally.
proxy_1       | [00] CPU Usage: 0.036 seconds = 0.021 user + 0.014 sys
proxy_1       | [00] Maximum Resident Size: 42256 KB
proxy_1       | [00] Page faults with physical i/o: 0


And cmd/config/ca.pem was created with the command from the wiki on macOS: openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout ca.pem -out ca.pem
Any ideas? Thanks!

-- 
Met vriendelijke groeten,
Niels Hofmans

SITE   https://ironpeak.be
BTW   BE0694785660
BANK BE76068909740795


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: squid mitm

Amos Jeffries
Administrator
On 19/11/20 4:48 am, Niels Hofmans wrote:
> Hi guys,
>
> I am trying to setup squid with TLS intercaption on Docker in an alpine
> linux image.
>
> My configuration is as follows:
>
> access_log /dev/stdout
>

Not a great idea. stdout is process specific ... and Squid is a
collection of multiple processes that can change over time.

You can use TCP logging if you need to stream the data out of the
container. see <https://wiki.squid-cache.org/Features/LogModules> for
details.


> https_port 0.0.0.0:3128 \
>    intercept \
>    ssl-bump \
>    cert=/ca.pem \
>    generate-host-certificates=on \
>    dynamic_cert_mem_cache_size=500MB
>
> sslcrtd_program /usr/lib/squid/security_file_certgen -s /cache/ssl.db -M 100MB
> sslcrtd_children 5
>
> ssl_bump server-first all
> sslproxy_cert_error allow all
>

These indicate that you are using a Squid-3.4 or older. Please upgrade
to at least Squid-4. Ideally Squid-5 (beta) or even Squid-6 (alpha) for
best TLS behaviour.


>
> And the Dockerfile:
>
> FROM alpine
>
> RUN apk add -U --no-cache squid
> COPY cmd/config/ca.pem cmd/config/squid.conf /
> RUN mkdir -p /cache \
> && /usr/lib/squid/security_file_certgen -c -s /cache/ssl.db -M 100MB
>
> EXPOSE 3128
> ENTRYPOINT ["/usr/sbin/squid”, “-f”, "/squid.conf”]
>
>
> However, this always exits with following error:
>
> proxy_1       | [00] 2020/11/18 15:38:27| WARNING: BCP 177 violation.
> Detected non-functional IPv6 loopback.
> proxy_1       | [00] 2020/11/18 15:38:27| FATAL: No valid signing
> certificate configured for HTTPS_port 0.0.0.0:3128
> proxy_1       | [00] 2020/11/18 15:38:27| Squid Cache (Version 4.13):
> Terminated abnormally.
> proxy_1       | [00] CPU Usage: 0.036 seconds = 0.021 user + 0.014 sys
> proxy_1       | [00] Maximum Resident Size: 42256 KB
> proxy_1       | [00] Page faults with physical i/o: 0
>
>
> And cmd/config <http://config.ca>/ca.pem was created with the command
> from the wiki on macOS: openssl req -new -newkey rsa:1024 -days 365
> -nodes -x509 -keyout ca.pem -out ca.pem
> Any ideas? Thanks!
>

That command generates a regular server certificate. SSL-Bump needs a CA
certificate.

Here are the correct command(s) for generating a root CA certificate for
Squid and DER file for client install:
 
<https://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Usage>

Note: most of the rest of that page can be used as instructions for your
setup. The only notable difference is the http(s)_port line settings,
your current one is correct for an MITM proxy.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users