Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Aeon mike guide transparent ssl filtering

C
Conrad Cruz

This document provides instructions for configuring SQUID 3.3 to act as an SSL bumping proxy on a Debian system. It describes how to generate a self-signed SSL certificate, edit the squid.conf file to enable SSL bumping and specify the certificate files, configure iptables rules to redirect HTTP and HTTPS traffic to the proxy ports, and provides an example configuration for filtering access to specific banking sites over HTTPS.

Related slideshows

grate techniques
grate techniquesgrate techniques
grate techniques
 
Step by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail serverStep by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail server
 
Squid Server
Squid ServerSquid Server
Squid Server
 
1 of 4
Download to read offline
AEONMike Guide – SQUID 3.3 SSLBUMP under Debian #Michael Cabalin http://www.PH-LWUG.org Pinoy Linux : http://www.facebook.com/groups/117595725078450/ #Install Debian OS #apt-get install build-essential gcc make #wget https://launchpad.net/squid/3.3/3.3.0.3/+download/squid-3.3.0.3.tar.gz #tar xvf squid-3.3.0.3.tar.gz #cd squid-3.3.0.3 ./configure –enable-icap-client –enable-ssl make make install Generate Self Sign • self-signed certificate (pem format) generation : openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout your.company.com.pem -out your.company.com • if needed, you can generate the certificate to import on browsers (to avoid the warnings about the security breach) : openssl x509 -in www.yourcompany.com.pem -outform DER -out www.yourcompany.com.der Onto the actual SQUID configuration. Edit the /etc/squid.conf file to show the following: always_direct allow all ssl_bump allow all http_port 192.9.200.32:3128 transparent
#the below should be placed on a single line https_port 192.9.200.32:3129 transparent ssl-bump cert=/etc/squid/ssl_cert/ your.company.com.pem key=/etc/squid/ssl_cert/private/your.company.com.pem Note you may need to change the “cert=” and the “key=” to point to the correct file in your environment. Also of course you will need to change the IP address The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: http://www.squid-cache.org/Doc/config/always_direct/ The second directive (ssl_bump) instructs the proxy to allow all SSL connections, but this can be modified to restirct access. You can also use the “sslproxy_cert_error” to deny access to sites with invalid certificates. More details on this here: http://wiki.squid-cache.org/Features/SslBump Start squid and check for any errors. If no errors are reported, run: netstat -nap | grep 3129 to make sure the proxy is up and running. Next, configure iptables to perform destination NAT, basically to redirect the traffic to the proxy: iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 192.9.200.32:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination 192.9.200.32:3129 Last thing to be done was to either place the proxy physically in line with the traffic or to redirect the traffic to the proxy using a router. Keep in mind that the proxy will change the source IP address of the requests to it’s own IP. In other words, by default it does not reflect the client IP. That was it in my case. I did try to implement something similar to the above but using explicit mode. This was my squid.conf file, note only one port is needed for both HTTP and HTTPS since HTTPS is tunneled over HTTP using the CONNECT method:
always_direct allow all ssl_bump allow all #the below should be placed on a single line http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem SSL Filtering example SQUID.Conf • Squid configuration (squid.conf) : I post here only important parts. acl … acl … # you must have CONNECT acl acl CONNECT method CONNECT acl metrobank dstdomain www.metrobank.com.ph acl securitybank dstdomain www.securitybank.com.ph # maybe not in the future, but we need this : always_direct allow all # permissions sections (allow / deny) http_access allow… http_access allow…
http_access allow… http_access deny … http_access deny … http_access deny … # some sites need this : sslproxy_cert_error allow metrobank #sslproxy_flags DONT_VERIFY_PEER # ssl_bump means that you want to intercept (MITM) this SSL connection ssl_bump allow metrobank ssl_bump allow securitybank # and we don’t want to intercept others SSL sites : ssl_bump deny all # now, you can tell Squid you want to forbid theses HTTPS url : … http_access allow localnet http_access allow localhost http_access deny all # tell Squid you want to intercept SSL # /! SSL interception is not compatible with transparent proxy # so DON’T write here ‘intercept’ (new name for ‘transparent’) http_port 3128 ssl-bump cert=/path/to/your/self- signed/cert/www.yourcompany.com.pem

More Related Content

Aeon mike guide transparent ssl filtering

  • 1. AEONMike Guide – SQUID 3.3 SSLBUMP under Debian #Michael Cabalin http://www.PH-LWUG.org Pinoy Linux : http://www.facebook.com/groups/117595725078450/ #Install Debian OS #apt-get install build-essential gcc make #wget https://launchpad.net/squid/3.3/3.3.0.3/+download/squid-3.3.0.3.tar.gz #tar xvf squid-3.3.0.3.tar.gz #cd squid-3.3.0.3 ./configure –enable-icap-client –enable-ssl make make install Generate Self Sign • self-signed certificate (pem format) generation : openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout your.company.com.pem -out your.company.com • if needed, you can generate the certificate to import on browsers (to avoid the warnings about the security breach) : openssl x509 -in www.yourcompany.com.pem -outform DER -out www.yourcompany.com.der Onto the actual SQUID configuration. Edit the /etc/squid.conf file to show the following: always_direct allow all ssl_bump allow all http_port 192.9.200.32:3128 transparent
  • 2. #the below should be placed on a single line https_port 192.9.200.32:3129 transparent ssl-bump cert=/etc/squid/ssl_cert/ your.company.com.pem key=/etc/squid/ssl_cert/private/your.company.com.pem Note you may need to change the “cert=” and the “key=” to point to the correct file in your environment. Also of course you will need to change the IP address The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: http://www.squid-cache.org/Doc/config/always_direct/ The second directive (ssl_bump) instructs the proxy to allow all SSL connections, but this can be modified to restirct access. You can also use the “sslproxy_cert_error” to deny access to sites with invalid certificates. More details on this here: http://wiki.squid-cache.org/Features/SslBump Start squid and check for any errors. If no errors are reported, run: netstat -nap | grep 3129 to make sure the proxy is up and running. Next, configure iptables to perform destination NAT, basically to redirect the traffic to the proxy: iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 192.9.200.32:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination 192.9.200.32:3129 Last thing to be done was to either place the proxy physically in line with the traffic or to redirect the traffic to the proxy using a router. Keep in mind that the proxy will change the source IP address of the requests to it’s own IP. In other words, by default it does not reflect the client IP. That was it in my case. I did try to implement something similar to the above but using explicit mode. This was my squid.conf file, note only one port is needed for both HTTP and HTTPS since HTTPS is tunneled over HTTP using the CONNECT method:
  • 3. always_direct allow all ssl_bump allow all #the below should be placed on a single line http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem SSL Filtering example SQUID.Conf • Squid configuration (squid.conf) : I post here only important parts. acl … acl … # you must have CONNECT acl acl CONNECT method CONNECT acl metrobank dstdomain www.metrobank.com.ph acl securitybank dstdomain www.securitybank.com.ph # maybe not in the future, but we need this : always_direct allow all # permissions sections (allow / deny) http_access allow… http_access allow…
  • 4. http_access allow… http_access deny … http_access deny … http_access deny … # some sites need this : sslproxy_cert_error allow metrobank #sslproxy_flags DONT_VERIFY_PEER # ssl_bump means that you want to intercept (MITM) this SSL connection ssl_bump allow metrobank ssl_bump allow securitybank # and we don’t want to intercept others SSL sites : ssl_bump deny all # now, you can tell Squid you want to forbid theses HTTPS url : … http_access allow localnet http_access allow localhost http_access deny all # tell Squid you want to intercept SSL # /! SSL interception is not compatible with transparent proxy # so DON’T write here ‘intercept’ (new name for ‘transparent’) http_port 3128 ssl-bump cert=/path/to/your/self- signed/cert/www.yourcompany.com.pem