SlideShare a Scribd company logo

Aeon mike guide transparent ssl filtering

C
Conrad Cruz

This document provides instructions for configuring SQUID 3.3 to act as an SSL bumping proxy on a Debian system. It describes how to generate a self-signed SSL certificate, edit the squid.conf file to enable SSL bumping and specify the certificate files, configure iptables rules to redirect HTTP and HTTPS traffic to the proxy ports, and provides an example configuration for filtering access to specific banking sites over HTTPS.

1 of 4
Downloaded 15 times
1
2
3
4
AEONMike Guide – SQUID 3.3 SSLBUMP under Debian #Michael Cabalin http://www.PH-LWUG.org Pinoy Linux : http://www.facebook.com/groups/117595725078450/ #Install Debian OS #apt-get install build-essential gcc make #wget https://launchpad.net/squid/3.3/3.3.0.3/+download/squid-3.3.0.3.tar.gz #tar xvf squid-3.3.0.3.tar.gz #cd squid-3.3.0.3 ./configure –enable-icap-client –enable-ssl make make install Generate Self Sign • self-signed certificate (pem format) generation : openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout your.company.com.pem -out your.company.com • if needed, you can generate the certificate to import on browsers (to avoid the warnings about the security breach) : openssl x509 -in www.yourcompany.com.pem -outform DER -out www.yourcompany.com.der Onto the actual SQUID configuration. Edit the /etc/squid.conf file to show the following: always_direct allow all ssl_bump allow all http_port 192.9.200.32:3128 transparent
#the below should be placed on a single line https_port 192.9.200.32:3129 transparent ssl-bump cert=/etc/squid/ssl_cert/ your.company.com.pem key=/etc/squid/ssl_cert/private/your.company.com.pem Note you may need to change the “cert=” and the “key=” to point to the correct file in your environment. Also of course you will need to change the IP address The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: http://www.squid-cache.org/Doc/config/always_direct/ The second directive (ssl_bump) instructs the proxy to allow all SSL connections, but this can be modified to restirct access. You can also use the “sslproxy_cert_error” to deny access to sites with invalid certificates. More details on this here: http://wiki.squid-cache.org/Features/SslBump Start squid and check for any errors. If no errors are reported, run: netstat -nap | grep 3129 to make sure the proxy is up and running. Next, configure iptables to perform destination NAT, basically to redirect the traffic to the proxy: iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 192.9.200.32:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination 192.9.200.32:3129 Last thing to be done was to either place the proxy physically in line with the traffic or to redirect the traffic to the proxy using a router. Keep in mind that the proxy will change the source IP address of the requests to it’s own IP. In other words, by default it does not reflect the client IP. That was it in my case. I did try to implement something similar to the above but using explicit mode. This was my squid.conf file, note only one port is needed for both HTTP and HTTPS since HTTPS is tunneled over HTTP using the CONNECT method:
always_direct allow all ssl_bump allow all #the below should be placed on a single line http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem SSL Filtering example SQUID.Conf • Squid configuration (squid.conf) : I post here only important parts. acl … acl … # you must have CONNECT acl acl CONNECT method CONNECT acl metrobank dstdomain www.metrobank.com.ph acl securitybank dstdomain www.securitybank.com.ph # maybe not in the future, but we need this : always_direct allow all # permissions sections (allow / deny) http_access allow… http_access allow…
http_access allow… http_access deny … http_access deny … http_access deny … # some sites need this : sslproxy_cert_error allow metrobank #sslproxy_flags DONT_VERIFY_PEER # ssl_bump means that you want to intercept (MITM) this SSL connection ssl_bump allow metrobank ssl_bump allow securitybank # and we don’t want to intercept others SSL sites : ssl_bump deny all # now, you can tell Squid you want to forbid theses HTTPS url : … http_access allow localnet http_access allow localhost http_access deny all # tell Squid you want to intercept SSL # /! SSL interception is not compatible with transparent proxy # so DON’T write here ‘intercept’ (new name for ‘transparent’) http_port 3128 ssl-bump cert=/path/to/your/self- signed/cert/www.yourcompany.com.pem

More Related Content

DOCX
How to install and configure LEMP stack
RootGate
 
ODP
Forget MAMP and WAMP, Use Virtual Box to Have a Real Ubuntu Server
aaroncouch
 
PPT
How To Deploy A Cloud Based Webserver in 5 minutes - LAMP
Matt Dunlap
 
PDF
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
LumoSpark
 
PPS
Squidinstallation
Chirag Gupta
 
PPTX
Simple webapps with nginx, uwsgi emperor and bottle
Jordi Soucheiron
 
PDF
體驗 Hhvm
Chen Cheng-Wei
 
PPTX
nginx + uwsgi emperor + bottle
Jordi Soucheiron
 
How to install and configure LEMP stack
RootGate
 
Forget MAMP and WAMP, Use Virtual Box to Have a Real Ubuntu Server
aaroncouch
 
How To Deploy A Cloud Based Webserver in 5 minutes - LAMP
Matt Dunlap
 
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
LumoSpark
 
Squidinstallation
Chirag Gupta
 
Simple webapps with nginx, uwsgi emperor and bottle
Jordi Soucheiron
 
體驗 Hhvm
Chen Cheng-Wei
 
nginx + uwsgi emperor + bottle
Jordi Soucheiron
 

What's hot (20)

PDF
grate techniques
junaid novapex
 
PDF
Step by-step installation of a secure linux web dns- and mail server
Integrated Circuit Design Research & Education Center (ICDREC)
 
PPT
Squid Server
Sumant Garg
 
ODP
Capifony. Minsk PHP MeetUp #11
Yury Pliashkou
 
ODP
High Performance Web Sites
Ravi Raj
 
PDF
How to contribute Apache CloudStack
Go Chiba
 
PPT
Squid server
Rohit Phulsunge
 
PDF
Installation of LAMP Server with Ubuntu 14.10 Server Edition
Sammy Fung
 
PDF
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)
Simon Boulet
 
PDF
Squid proxy-configuration-guide
jasembo
 
PPTX
Compcon 2016 Workshop
Steven Cooper
 
PPTX
Ansible intro
Hsi-Kai Wang
 
PDF
Config websocket on apache
baran19901990
 
ODP
Squid Proxy Server
13bcs0012
 
PDF
Deploying nginx with minimal system resources
Max Ukhanov
 
PDF
Using filesystem capabilities with rsync
Hazel Smith
 
PDF
Improving WordPress Performance with Xdebug and PHP Profiling
Otto Kekäläinen
 
PDF
WordPress Security - A Top Down Approach
Brecht Ryckaert
 
PPT
Your own minecraft server on a linode vps
Cleo Morisson
 
PPTX
Linux for programmers
Md. Al Amin
 
grate techniques
junaid novapex
 
Step by-step installation of a secure linux web dns- and mail server
Integrated Circuit Design Research & Education Center (ICDREC)
 
Squid Server
Sumant Garg
 
Capifony. Minsk PHP MeetUp #11
Yury Pliashkou
 
High Performance Web Sites
Ravi Raj
 
How to contribute Apache CloudStack
Go Chiba
 
Squid server
Rohit Phulsunge
 
Installation of LAMP Server with Ubuntu 14.10 Server Edition
Sammy Fung
 
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)
Simon Boulet
 
Squid proxy-configuration-guide
jasembo
 
Compcon 2016 Workshop
Steven Cooper
 
Ansible intro
Hsi-Kai Wang
 
Config websocket on apache
baran19901990
 
Squid Proxy Server
13bcs0012
 
Deploying nginx with minimal system resources
Max Ukhanov
 
Using filesystem capabilities with rsync
Hazel Smith
 
Improving WordPress Performance with Xdebug and PHP Profiling
Otto Kekäläinen
 
WordPress Security - A Top Down Approach
Brecht Ryckaert
 
Your own minecraft server on a linode vps
Cleo Morisson
 
Linux for programmers
Md. Al Amin
 
Ad

Similar to Aeon mike guide transparent ssl filtering (20)

PDF
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
PDF
Squid for Load-Balancing & Cache-Proxy ~ A techXpress Guide
Abhishek Kumar
 
PDF
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Netgate
 
TXT
Squid3
Facebook
 
TXT
Squid3
Facebook
 
PPTX
Squid
Syeda Javeria
 
PDF
Squid proxy server
Green Jb
 
PPTX
Oscon 2011 - ATS
Leif Hedstrom
 
PPS
Linux11 Proxy Server
Jainul Musani
 
PDF
17937858 squid-server - [the-xp.blogspot.com]
Krisman Tarigan
 
DOCX
How to install squid proxy on server or how to install squid proxy on centos o
Proxiesforrent
 
PDF
Pf sense installation and initial setup
Harvey Dime
 
PPTX
Proxy
leminhvuong
 
PDF
17) 11 (may, 2003) squid master this proxy server
swarup1435
 
PDF
Unidade3 roteiro proxy
Leandro Almeida
 
PDF
Using aphace-as-proxy-server
HARRY CHAN PUTRA
 
PPTX
Transparent proxy - SIP - 2014 - NCC LAB
Benith T
 
PPT
Apache Traffic Server
supertom
 
PPTX
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
Darren Duke
 
PDF
Transparent proxy
Muhammad Iqbal
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
Squid for Load-Balancing & Cache-Proxy ~ A techXpress Guide
Abhishek Kumar
 
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Netgate
 
Squid3
Facebook
 
Squid3
Facebook
 
Squid
Syeda Javeria
 
Squid proxy server
Green Jb
 
Oscon 2011 - ATS
Leif Hedstrom
 
Linux11 Proxy Server
Jainul Musani
 
17937858 squid-server - [the-xp.blogspot.com]
Krisman Tarigan
 
How to install squid proxy on server or how to install squid proxy on centos o
Proxiesforrent
 
Pf sense installation and initial setup
Harvey Dime
 
Proxy
leminhvuong
 
17) 11 (may, 2003) squid master this proxy server
swarup1435
 
Unidade3 roteiro proxy
Leandro Almeida
 
Using aphace-as-proxy-server
HARRY CHAN PUTRA
 
Transparent proxy - SIP - 2014 - NCC LAB
Benith T
 
Apache Traffic Server
supertom
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
Darren Duke
 
Transparent proxy
Muhammad Iqbal
 
Ad

More from Conrad Cruz (6)

PDF
Vsphere esxi-vcenter-server-50-storage-guide
Conrad Cruz
 
PDF
Des 3800 howto-en_guest-vlan_20060623
Conrad Cruz
 
PDF
Configuration steps for the cisco 300 series switches v3
Conrad Cruz
 
PDF
Cisco sg300 vlan setup w..
Conrad Cruz
 
PDF
Aeonmike pf clustering doc guide
Conrad Cruz
 
PDF
Aeon mike guide transparent ssl filtering (1)
Conrad Cruz
 
Vsphere esxi-vcenter-server-50-storage-guide
Conrad Cruz
 
Des 3800 howto-en_guest-vlan_20060623
Conrad Cruz
 
Configuration steps for the cisco 300 series switches v3
Conrad Cruz
 
Cisco sg300 vlan setup w..
Conrad Cruz
 
Aeonmike pf clustering doc guide
Conrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Conrad Cruz
 

Aeon mike guide transparent ssl filtering

  • 1. AEONMike Guide – SQUID 3.3 SSLBUMP under Debian #Michael Cabalin http://www.PH-LWUG.org Pinoy Linux : http://www.facebook.com/groups/117595725078450/ #Install Debian OS #apt-get install build-essential gcc make #wget https://launchpad.net/squid/3.3/3.3.0.3/+download/squid-3.3.0.3.tar.gz #tar xvf squid-3.3.0.3.tar.gz #cd squid-3.3.0.3 ./configure –enable-icap-client –enable-ssl make make install Generate Self Sign • self-signed certificate (pem format) generation : openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout your.company.com.pem -out your.company.com • if needed, you can generate the certificate to import on browsers (to avoid the warnings about the security breach) : openssl x509 -in www.yourcompany.com.pem -outform DER -out www.yourcompany.com.der Onto the actual SQUID configuration. Edit the /etc/squid.conf file to show the following: always_direct allow all ssl_bump allow all http_port 192.9.200.32:3128 transparent
  • 2. #the below should be placed on a single line https_port 192.9.200.32:3129 transparent ssl-bump cert=/etc/squid/ssl_cert/ your.company.com.pem key=/etc/squid/ssl_cert/private/your.company.com.pem Note you may need to change the “cert=” and the “key=” to point to the correct file in your environment. Also of course you will need to change the IP address The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: http://www.squid-cache.org/Doc/config/always_direct/ The second directive (ssl_bump) instructs the proxy to allow all SSL connections, but this can be modified to restirct access. You can also use the “sslproxy_cert_error” to deny access to sites with invalid certificates. More details on this here: http://wiki.squid-cache.org/Features/SslBump Start squid and check for any errors. If no errors are reported, run: netstat -nap | grep 3129 to make sure the proxy is up and running. Next, configure iptables to perform destination NAT, basically to redirect the traffic to the proxy: iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 192.9.200.32:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination 192.9.200.32:3129 Last thing to be done was to either place the proxy physically in line with the traffic or to redirect the traffic to the proxy using a router. Keep in mind that the proxy will change the source IP address of the requests to it’s own IP. In other words, by default it does not reflect the client IP. That was it in my case. I did try to implement something similar to the above but using explicit mode. This was my squid.conf file, note only one port is needed for both HTTP and HTTPS since HTTPS is tunneled over HTTP using the CONNECT method:
  • 3. always_direct allow all ssl_bump allow all #the below should be placed on a single line http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem SSL Filtering example SQUID.Conf • Squid configuration (squid.conf) : I post here only important parts. acl … acl … # you must have CONNECT acl acl CONNECT method CONNECT acl metrobank dstdomain www.metrobank.com.ph acl securitybank dstdomain www.securitybank.com.ph # maybe not in the future, but we need this : always_direct allow all # permissions sections (allow / deny) http_access allow… http_access allow…
  • 4. http_access allow… http_access deny … http_access deny … http_access deny … # some sites need this : sslproxy_cert_error allow metrobank #sslproxy_flags DONT_VERIFY_PEER # ssl_bump means that you want to intercept (MITM) this SSL connection ssl_bump allow metrobank ssl_bump allow securitybank # and we don’t want to intercept others SSL sites : ssl_bump deny all # now, you can tell Squid you want to forbid theses HTTPS url : … http_access allow localnet http_access allow localhost http_access deny all # tell Squid you want to intercept SSL # /! SSL interception is not compatible with transparent proxy # so DON’T write here ‘intercept’ (new name for ‘transparent’) http_port 3128 ssl-bump cert=/path/to/your/self- signed/cert/www.yourcompany.com.pem