Introduction
I wanted to provide this information as the information I have found has been only able to help with bits and pieces. For example, one install guide says, “Oh yeah dude, just yum install squid and tellz your browser to like proxy to it and bam, you are done dude!”. Now, to be honest, none of the blogs, forums or documentation I skimmed threw said anything exactly like this. What did happen? Well, I was left disappointed as each walk thru just didn’t succeed for me. Ah the joys of being a Linux newbie! Wait, or is it just that every time I tinker with some new software that just so happens to run on Linux, I just end up just “feeling like a newb”?
Conclusion
Before you jump to the bottom, this setup requires all web browsers accessing the internet to have the web browser proxy settings configured to point to this web proxy we are setting up.
This also requires that the CA certificate for your proxy server we create, the certificate (not private key) must be placed in as a Trusted Root Certificate Authority on devices/computers/laptops/cell phones that are going proxy their internet through this box we are setting up. The location and how to do this varies by the operating system. I can tell you on windows if a user has Chrome and Firefox, well these browsers just happen to have their own Trusted Root. I want to say, I think, that on Windows there is a like and “Enterprise Trust” group or something that all browsers on an operating system trust then we’ll need to figure that part out.
This is not a Transparent Proxy. Although that will come later and infrastructure design of how this goes into the network and maybe a look at iCAP and what we can do with that information.
Resources
The following are some sites I visited while trying to figure this out (maybe I didn’t go to enough sites or read enough):
smoothnet.org/squid-proxy-with-ssl-bump
aacable.wordpress.com/squid-3-and-ssl
wiki.squid-cache.org/Features/DynamicSslCert
quintolabs.com/virtual.php
docs.diladele.com
docs.diladele.com/administrator_guide_4_0/installation_and_removal/install_on_centos_or_redhat_7
docs.diladele.com/administrator_guide_4_2/installation_and_removal/centos7
docs.diladele.com/administrator_guide_4_0/system_configuration/https_filtering/recompile_squid
broexperts.com/squid-rpm-based-installation-using-yum
krizna.com/how-to-install-squid-proxy-on-centos-6/
How-To
Setup a CentOS 7 machine. I configured mine w/ 1 NIC and a static IP address.
I am using VMWare Fusion and I used another VM on my Mac (Windows 8.1) and pointed Firefox to my Proxy VM.
Screen Shot: Shows it works!
# ———- Disable SELinux
nano /etc/selinux/config
change SELINUX=enforcing to SELINUX=disabled
# ———-
# ———- Reboot to complete disablement of SELinux
shutdown -r now
# ———-
# ———- Verify that SELinux is disabled
sestatus
# ———-
# ———- Fix Firewall/IPTables
firewall-cmd –permanent –zone=public –add-port=3128/tcp
firewall-cmd –reload
# ———- Clean all cached files from any enabled repository.
# ———- Useful to run from time to time to make sure there is nothing using unnecessary space.
yum clean all
# ———-
# ———- Get system update w/ latest software packages
# ———- You can try skipping this if you’d like, if this creates issues for you.
# ———- Yum List Updates will show you what will be updated before you start the “install” process.
yum -y update
# ———-
# ———- Install Squid & Nano (nano is my text editor of choice) & tcpdump (to capture packets and verify decryption)
yum -y install squid nano tcpdump
# ———-
# ———- After the install we can check version installed Squid version
squid -v
# ———-
# ———- CentOS setup to set Squid.service to start on boot
systemctl enable squid.service
# ———-
# ———- Setup Folder to Store Dynamically created/Impersonated/Mimicked Certificates
/usr/lib64/squid/ssl_crtd -c -s /var/spool/squid_ssldb
chown -R squid:squid /var/spool/squid_ssldb
# ———-
# ———- Setup Folder to store CA cert(s).
# ———- If we want to decrypt we have to become our own CA server.
mkdir /etc/squid/ssl
chown squid:squid /etc/squid/ssl
chmod 700 /etc/squid/ssl
cd /etc/squid/ssl
# ———-
# ———- check version of openssl. make sure not vulnerable
openssl version
# ———-
# ———- Create CA cert and Key. The key and the cert are in the .pem file. Remember this.
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
# ———-
# ———- Convert to der for windows and mac to import to their trusted root auth
openssl x509 -outform der -in myCA.pem -out myCA.crt
# ———-
# ———- make a backup of squid.conf
cp /etc/squid/squid.conf /etc/squid/squid.conf.backup
# ———-
# ———- Note: The default squid.conf file in v3.3.8 will proxy with just adding a few bits in.
# ———- Without the SSL options, decryption and random certificates will not work.
# ———-
# —————————————————- Start squid.conf configuration items —————————————————- #
# ———-
# ———- To modify go to /etc/squid/squid.conf
nano /etc/squid/squid.conf
# ———- sslbump setup to place into squid.conf. comment http_port 3128 and put this in there.
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl/myCA.pem
# ———-
# ———- sslbump properties to place into squid.conf
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
# ———-
# ———- configure path to ssl cache into squid.conf
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB sslcrtd_children 8 startup=1 idle=1
# ———-
# —————————————————- End squid.conf configuration items —————————————————– #
# ———-
# ———- Start Squid
systemctl start squid
# ———-
# ———- Check Status of Squid
systemctl status squid
# ———-
# ———- Stop Squid
systemctl stop squid
# ———-
# ———- Help Info on Squid Command
squid -h
# ———-
# ———- Squid version
squid -v
# ———-
# ———- View Access Log
tail /var/log/squid/access.log
# ———-
# ———- packet capture example. must use port 3128 as all traffic goes there. press ctrl+c to stop capture.
mkdir /etc/squid/captures
tcpdump -i any “port 3128” -w /etc/squid/captures/<some-cap>.pcap
# ———-
# ———- While on a MAC SCP to squid to PULL capture down (windows should use WinSCP GUI clicky things)
scp root@alk-squid01:/etc/squid/captures/<some-cap>.pcap /Users/<Mac-Username>/Desktop/<some-cap>.pcap
# ———-