A customer was reporting poor performance with one of the product I am working on when he routes the traffic via squid proxy. What is a proxy? Why Squid? Just google it :). Let's get down to business.
Below is the topology. This is a basic setup so that you can get started.
All the machines here are running Kali Linux.
Below is the topology. This is a basic setup so that you can get started.
All the machines here are running Kali Linux.
root@maximus:~# uname -a
Linux maximus 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux
Important while installing the Squid Proxy
Try to get the source file and compile it. While configuring, make sure to give the following switches to ensure SSL is supported.
--enable-ssl --enable-ssl-crtd --enable-icap-client --with-default-user=squid
--with-default-user
You can specify any user you want, just make sure after the installation is done, that user is created and necessary permissions are given. Mainly "that user" will require permission to write to the log directories which is by default /var/logs/
Follow these to get the Squid Proxy installed
wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.4.tar.gz
tar -xzvf squid-3.4.4.tar.gz
cd squid-3.4.4
./configure --prefix=/ --enable-icap-client --enable-ssl --enable-ssl-crtd --with-default-user=squid
make
make install
Once done, execute squid -v and squid -h to ensure we have ssl enabled and also to know the path of the configuration file
root@maximus-neptune-21:~# squid -v Squid Cache: Version 3.4.4 configure options: '--enable-ssl' '--enable-icap-client' '--enable-ssl-crtd' '--with-default-user=squid' '--prefix=/' --enable-ltdl-convenience
root@maximus-neptune-21:~# squid -h
Usage: squid [-cdhvzCFNRVYX] [-s | -l facility] [-f config-file] [-[au] port] [-k signal]
-a port Specify HTTP port number (default: 3128).
-d level Write debugging to stderr also.
-f file Use given config-file instead of
/etc/squid.conf
-h Print help message.
We are good to go!
This is what happens when the client tries to connect to the proxy server.
Client tries to connect to the proxy server via https://172.20.73.172:3128
The proxy server, intercepts this and establishes a secure connection between the Client and itself. Then the proxy server creates another secure back-end connection to the actual server.
Though this is transparent mode, you can see that it is not "entirely" transparent to the the client. The reason I am connecting to the proxy server and port explicitly is because I didn't want the readers to get confused with the iptables. This is known as ssl-bump or man in the middle. The original connection from the client is intercepted by the proxy server. So, if anyone hacks into the proxy server, he can get all the data easily. Like, I have already said, this is only for lab testing purpose.
Below is the minimal configuration file /etc/squid.conf
visible_hostname maximus-neptune-21 # This acl will allow anyone. Add the required acl's you want to restrict the access. acl EVERYONE src all # This is to tell the Proxy that do not cache the pages. This is not generally used. cache deny all # This is where the acl is getting into action http_access allow EVERYONE http_access deny all # 3128 is the https port squid proxy will listen to. You need to generate the key and certificate, these are used to create a secure connection with the client. I am using SSLv3 and hence version=3 https_port 3128 intercept ssl-bump cert=/etc/squid/ssl/public.pem key=/etc/squid/ssl/private.pem version=3 # This is where we specify the server list. I am using SSLv3 and hence sslversion=3 cache_peer 100.1.1.11 parent 443 0 no-query originserver ssl sslversion=3 ssloptions=NO_SSLv2,NO_TLSv1_1,NO_TLSv1_2 # I had some issues with the CA, hence disabled the verification. I don't recommend you do this if it a live environment. sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA # This will ensure that the connection is send/created to the actual server. never_direct allow all
squid -NCd1
Check /var/logs/access.log for more debugging information.
For more information, please check http://www.squid-cache.org/
Reference : http://www.squid-cache.org/