[proxy] SSL interception using squid
In this article, I’ll show you how to configure Squid to act like an ‘man-in-the-middle’ with HTTPS connections.
If you’re not doing that for yourself (eg : your company/association, you MUST tell people about that, it is ILLEGAL).
credits : to achieve this, I mainly have read this documentation (but I did not yet implement dynamic certificates generation) :
http://wiki.squid-cache.org/Features/DynamicSslCert
Normal behavior of proxies while serving HTTPS sites is to “not acting as mandatoring”.
The connection between the web site and the client is direct.
The only thing you can see in logs (access.log) is ip/fqdn address with method CONNECT (instead of GET/POST) :
1293606062.453 188 192.168.0.1 TCP_MISS/200 5595 CONNECT secured.site.org:443 - DIRECT/12.34.56.78 -
As Squid don’t know about URL, you will only be able to write an ACL that focus on the domain (eg : dstdomain) or ip address.
If for some reasons, you need to allow an HTTPS site (domain/ip), but want to forbid an URL on it, this can be done with usage of ssl-bump feature of Squid.
- installation :
As this is not normal behaviour and you break the trust on SSL by doing this, many distros won’t provide this feature in their binary packages.
If you are running on Debian based distro, you’ll need to get the sources of Squid and to compile it with ‘—enable-ssl’ option.
For now, I personnaly gave up with Debian/Ubuntu for this Squid mitm install and did it with ArchiLinux and it works like a charm. - self-signed certificate (pem format) generation :
openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout your.company.com.pem -out your.company.com - if needed, you can generate the certificate to import on browsers (to avoid the warnings about the security breach) :
openssl x509 -in www.yourcompany.com.pem -outform DER -out www.yourcompany.com.der - Squid configuration (squid.conf) :
I post here only important parts.
acl …
acl …
# you must have CONNECT acl
acl CONNECT method CONNECT
acl clientsboxes dstdomain www.secure.clientsboxes.com
acl nationalbank dstdomain www.nationalbank.biz
# write some ACL to test URL filter on HTTPS (interception)
acl rebootbox url_regex ^https://www.secure.clientsboxes.com/path/*to/*reboot/*servers
acl dropaccount url_regex ^https://www.nationalbank.biz/*showmethemoney/*dropthisaccount
# maybe not in the future, but we need this :
always_direct allow all
# permissions sections (allow / deny)
http_access allow…
http_access allow…
http_access allow…
http_access deny …
http_access deny …
http_access deny …
# some sites need this :
sslproxy_cert_error allow nationalbank
#sslproxy_flags DONT_VERIFY_PEER
# ssl_bump means that you want to intercept (MITM) this SSL connection
ssl_bump allow clientsboxes
ssl_bump allow nationalbank
# and we don’t want to intercept others SSL sites :
ssl_bump deny all
# now, you can tell Squid you want to forbid theses HTTPS url :
http_access deny rebootbox
http_access deny dropaccount
…
http_access allow localnet
http_access allow localhost
http_access deny all
# tell Squid you want to intercept SSL
# /!\ SSL interception is not compatible with transparent proxy
# so DON’T write here ‘intercept’ (new name for ‘transparent’)
http_port 3128 ssl-bump cert=/path/to/your/self-signed/cert/www.yourcompany.com.pem
Now, you’ll see full URL in logs and url based ACL will be operationnal.
