Monday, April 14, 2014

Squid HTTPS/SSL Proxy

A customer was reporting poor performance with one of the product I am working on when he routes the traffic via squid proxy. What is a proxy? Why Squid? Just google it :). Let's get down to business.

Below is the topology. This is a basic setup so that you can get started.


All the machines here are running Kali Linux.

root@maximus:~# uname -a
Linux maximus 3.12-kali1-686-pae #1 SMP Debian 3.12.6-2kali1 (2014-01-06) i686 GNU/Linux

Important while installing the Squid Proxy
Try to get the source file and compile it. While configuring, make sure to give the following switches to ensure SSL is supported.

--enable-ssl --enable-ssl-crtd --enable-icap-client --with-default-user=squid

--with-default-user
You can specify any user you want, just make sure after the installation is done, that user is created and necessary permissions are given. Mainly "that user" will require permission to write to the log directories which is by default /var/logs/

Follow these to get the Squid Proxy installed

wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.4.tar.gz
tar -xzvf squid-3.4.4.tar.gz
cd squid-3.4.4
./configure --prefix=/ --enable-icap-client --enable-ssl --enable-ssl-crtd --with-default-user=squid
make
make install

Once done, execute squid -v and squid -h to ensure we have ssl enabled and also to know the path of the configuration file

root@maximus-neptune-21:~# squid -v
Squid Cache: Version 3.4.4
configure options:  '--enable-ssl' '--enable-icap-client' '--enable-ssl-crtd' '--with-default-user=squid' '--prefix=/' --enable-ltdl-convenience

root@maximus-neptune-21:~# squid -h
Usage: squid [-cdhvzCFNRVYX] [-s | -l facility] [-f config-file] [-[au] port] [-k signal]
       -a port   Specify HTTP port number (default: 3128).
       -d level  Write debugging to stderr also.
       -f file   Use given config-file instead of
                 /etc/squid.conf
       -h        Print help message.

We are good to go!

This is what happens when the client tries to connect to the proxy server.

Client tries to connect to the proxy server via https://172.20.73.172:3128
The proxy server, intercepts this and establishes a secure connection between the Client and itself. Then the proxy server creates another secure back-end connection to the actual server.

Though this is transparent mode, you can see that it is not "entirely" transparent to the the client. The reason I am connecting to the proxy server and port explicitly is because I didn't want the readers to get confused with the iptables. This is known as ssl-bump or man in the middle. The original connection from the client is intercepted by the proxy server. So, if anyone hacks into the proxy server, he can get all the data easily. Like, I have already said, this is only for lab testing purpose.

Below is the minimal configuration file /etc/squid.conf
visible_hostname maximus-neptune-21

# This acl will allow anyone. Add the required acl's you want to restrict the access.
acl EVERYONE src all

# This is to tell the Proxy that do not cache the pages. This is not generally used.
cache deny all

# This is where the acl is getting into action
http_access allow EVERYONE
http_access deny all

# 3128 is the https port squid proxy will listen to. You need to generate the key and certificate, these are used to create a secure connection with the client. I am using SSLv3 and hence version=3
https_port 3128 intercept ssl-bump cert=/etc/squid/ssl/public.pem key=/etc/squid/ssl/private.pem version=3

# This is where we specify the server list. I am using SSLv3 and hence sslversion=3
cache_peer 100.1.1.11 parent 443 0 no-query originserver ssl sslversion=3 ssloptions=NO_SSLv2,NO_TLSv1_1,NO_TLSv1_2

# I had some issues with the CA, hence disabled the verification. I don't recommend you do this if it a live environment.
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER,NO_DEFAULT_CA

# This will ensure that the connection is send/created to the actual server.
never_direct allow all

Start the Squid Proxy in foreground mode with certain debug level enabled. This will help in finding any configuration syntax errors or any handshake failures etc

squid -NCd1

Check /var/logs/access.log for more debugging information.

For more information, please check http://www.squid-cache.org/
Reference : http://www.squid-cache.org/

4 comments:

  1. Hi
    Am getting an error while accessing https site, any idea what it is about ?

    Failed to establish a secure connection to ip

    The system returned: (71) Protocol error

    This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

    Regards
    Charles

    ReplyDelete
    Replies
    1. Are you seeing a backend connection getting initiated? or is the error thrown by the squid itself? check /var/logs/access.log for more info in the proxy server.

      Delete
  2. I was reading through some of your blog posts on this internet site and I believe this site is rattling informative! Keep on posting. access torrentHound in UK

    ReplyDelete