Instalcija SQUID na Ubuntu 18.04 LTS sa SSL/HTTPS podrskom za sajtove

Procedura

Konfiguracija ispravnog datuma
dpkg-reconfigure tzdata
apt-get install ntpdate
ntpdate rs.pool.ntp.org
timedatectl set-ntp 0
apt-get install ntp
date

Instalacija neophodnih paketa za kompajliranje SQUID-a iz source-a
apt-get update
apt-get install build-essential openssl libssl-dev pkg-config

Kreiranje direktorijuma za download SQUID, kompajliranje i instalacija paketa u /usr/local/squid direktorijum
mkdir /downloads
cd /downloads
wget http://www.squid-cache.org/Versions/v4/squid-4.5.tar.gz
tar -zxvf squid-4.5.tar.gz
cd squid-4.5
./configure –with-default-user=proxy –with-openssl –enable-ssl-crtd
make
make install
updatedb

Podesavanje OPENSSL
vim /etc/ssl/openssl.cnf i dodati u [ v3_ca ] polje
keyUsage = cRLSign, keyCertSign

Kreiranje strukture direktorijuma za SSL za Squid
mkdir /usr/local/squid/etc/ssl_cert -p
chown proxy:proxy /usr/local/squid/etc/ssl_cert -R
chmod 700 /usr/local/squid/etc/ssl_cert -R
cd /usr/local/squid/etc/ssl_cert

Kreirati self-signed cert koji ce sluziti da enkapsulira nazad u SSL ekstraktovane podatke
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem -out myCA.pem

Eksportovanje sertifikata za browere korisnika
openssl x509 -in myCA.pem -outform DER -out myCA.der

Kreiranje SQUID ssl baze i dodeljivanje privilegija
/usr/local/squid/libexec/security_file_certgen -c -s /usr/local/squid/var/logs/ssl_db -M 4MB
chown proxy:proxy /usr/local/squid/var/logs/ssl_db -R

Kreiranje SQUID konfiguracije, blokiranje google.com domena
vim /usr/local/squid/etc/squid.conf
< >
acl localnet src 192.168.0.0/24
acl localnet src 10.0.2.15/24
acl localnet src 82.214.94.174/32

acl block_google dstdomain .google.com
http_access deny localnet block_google
http_access allow localnet

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB
coredump_dir /usr/local/squid/var/cache/squid
cache_dir ufs /usr/local/squid/var/cache/squid 1000 16 256 # 1GB as Cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
< >

Kreiranje strukture cache direktorijma
chown -R proxy:proxy /usr/local/squid -R
/usr/local/squid/sbin/squid -z

Kreiranje SQUID SYSTEMD skripte
vim /etc/systemd/system/squid.service
< >
[Unit]
Description=Squid web caching proxy
After=syslog.target network.target network-online.target nss-lookup.target

[Service]
Environment=”SQUID_CONF=/usr/local/squid/etc/squid.conf”
Environment=”SQUID_OPTS=-Y”
LimitNOFILE=16384
ExecStartPre=/usr/local/squid/sbin/squid -N -z -f ${SQUID_CONF}
ExecStart=/usr/local/squid/sbin/squid -N $SQUID_OPTS -f ${SQUID_CONF}
ExecReload=/usr/local/squid/sbin/squid -k reconfigure -f ${SQUID_CONF}
ExecStop=/usr/local/squid/sbin/squid -k shutdown $SQUID_OPTS -f ${SQUID_CONF}

[Install]
WantedBy=multi-user.target
< >

Reload systemd deamona kako bi se skripta inicijalizovala u systemd
systemctl daemon reload

Start/Stop/Restart/Reload/Status SQUID servisa
systemctl start|stop|restart|reload|status squid

Na Windows masinama instalirati myCA.der sertfikat kojeg smo napravili, dvoklikom na myCA.der sertifikat.
Sertifikat se dalje instalira Local MAchine-Place all certificates in the following store-Browse-Trusted Root Certification Authorities-Ok

SQUID ce nakon ovoga intercepte-ovati HTTPS saobracaj, stripovace SSL, sniffovace paket i odatle ce izvuci domain i sl, nakon toga se paket enkapsulira opet u SSL ali se potpisuje nasim self-signed sertifikatom i salje se do klijenta

Leave a reply