DEV Community

Cover image for Squid Proxy with SSL Bump
suntong
suntong

Posted on

1 1

Squid Proxy with SSL Bump

Reposted from Squid Proxy with SSL Bump (26 JANUARY 2014), with slight editing.

The squid proxy is an amazingly powerful web proxy that can be used from anything to captive portals, redirection, user authentification, logging, and so on; but Squid has always had a limitation where SSL was concerned. Prior to version 3.2, Squid’s method of handling SSL was to simply pass through SSL encrypted traffic as it was un-able to do anything with it with out invalidating the SSL chain of trust, alerting the user for every SSL connection.

However post 3.2+ versions allow a bit more control, allowing creating a local certificate authority and generating chained certificates on the fly, but be aware this method still invalidates the SSL chain of trust.

This how-to is about getting squid running with SSL Bump. The first thing we need to do is make sure that the version of squid you are using is greater than 3.3. While 3.2 is capable of this method, the SSL Bump directive has changed as of version 3.3.

The next thing we need to do is generate a local ssl certificate.

# Generate Private Key
openssl genrsa -out example.com.private 2048  

# Create Certificate Signing Request
openssl req -new -key example.com.private -out example.com.csr
Enter fullscreen mode Exit fullscreen mode

Now we need to sign our Certificate Signing Request.

# Sign Certificate
openssl x509 -req -days 3652 -in example.com.csr -signkey example.com.private -out example.com.cert  
Enter fullscreen mode Exit fullscreen mode

Once that is finished,

  • copy the private key and the certificate to some location where squid can access it,
  • make sure to keep your private key some place secure.
  • The certificate will need to be accessible to the squid proxy user, and installed as a Trusted Root Certificate Authority.

As squid generates certificates it stores a copy of each in a cache directory so that it only has to do it once every so often. So we need to set up it’s certificate cache.

# Generate certificate cache
/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
# Change ownership of the certificate cache
chown squid: /var/lib/ssl_db 
Enter fullscreen mode Exit fullscreen mode

That should take care of most of the external squid stuff, lets move into the squid configuration...

Detail of the configuration and their explanations omitted in the post. Check the original if you will.

Image of Timescale

Timescale – the developer's data platform for modern apps, built on PostgreSQL

Timescale Cloud is PostgreSQL optimized for speed, scale, and performance. Over 3 million IoT, AI, crypto, and dev tool apps are powered by Timescale. Try it free today! No credit card required.

Try free

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay