Linux · Making things work

Squid transparent proxy for https / ssl traffic


We use transparent proxy is when we want to avoid getting into client side proxy configuration or force the users traffic through proxy server.

Some of the key reasons/advantage of using a transparent proxy can be following

  • Cashing of the web contents and DNS lookup
  • Access control to internet resources (who can access)
  • Client bandwidth control/ proxy level QOS
  • Assist with content filtering (like SquidGuard)
  • Maintaining client access log for security compliance
  • Protecting client machines from direct exposure to Internet

Setting up a transparent proxy for http(clear web traffic with no encryption)  is a simple job.

On the other hand setting up transparent proxy for https/ssl traffic is a different, this includes of setting up an SSL certificate. However the browser can keep complaining as it detect the transparent proxy for ssl traffic and consider it as a man in the middle. So using transparent proxy for ssl traffic might not be very practical. I would rather go with setting up proxy auto configuration file (PAC) file and deploy it through web proxy auto discovery protocol for my enterprise network

I shall describe how to setup transparent proxy using some simple steps both for ssl/https traffic as well as http traffic in this blog.

Setting up transparent proxy for http traffic using squid 2.6 on a linux box:

Before you start with setting up a transparent proxy,

Make sure your squid is running.

Access list is configured to allow client machines to use this proxy server. The following lines on your squid.conf file can help you setting up the access list where 192.168.0.0/24 is your network address.

acl our_networks src 192.168.0.0/24 127.0.0.1
 http_access allow our_networks

Setting up transparent proxy

Assuming you make your squid proxy server as your network gateway. We also will redirect all http traffic coming to gateway through squid proxy. You can run different gateway and re-route your https traffic through the proxy however, we are not covering that in this blog.

Assuming your gateway/proxy server address is 192.168.0.1 and we are running proxy server on port 80. To make it work you need to add the following line in squid configuration file squid.conf.

For squid = 2.6

 http_port 3128 transparent

For squid < 2.6                                

httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_host virtual
httpd_accel_uses_host_header on

Assuming the linux box is the gateway and ip forwarding is on. If not turn it on

echo 1 > /proc/sys/net/ipv4/ip_forward

Then redirect all http traffic forwarded through the gateway using port 80 redirect them to port 3128.

iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128

Check other firewall entries to make sure traffic is passing through properly.

Check on the client machine, your transparent proxy should be up and running for http traffic.

Setting up transparent proxy for https traffic using squid:

As I mentioned settings up transparent proxy for https traffic requires an additional step of creating a certificate set.

Setting up squid as a transparent proxy forwards all request coming from port 80 to squid server’s port in the earlier example 3128 (default). Port 80 is used for clear text http traffic with no encryption. On the other hand for https/ssl protocol usually port 443 is used. For transparent proxy over https we will forward 443 traffic to a different squid port (in this case port 3130) using iptables, which is ready to handle https transparent proxy.The default port 3128 which can handle clear text http traffic cannot handle https traffic.

Because https connection establishes a secure connection over the network to do that it uses certificate and public key private key pairs. In this case squid shall act as a man in the middle, exchange certificate with the client. After the proxy server is done exchanging certificate with the client it will exchange certificate with the server on behalf of the client. This process will go on for the entire session.  Once the proxy server is done exchanging the certificate with both client and the web server, the traffic shall be passed though from client to server.

To make it work we shall follow three simple steps

Create certificate sets

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 –keyout  proxy.example.com.pem -out proxy.example.com.pem

Enable https proxy in squid on port 3130, by adding the following line to your squid.conf file.

 https_port 192.168.0..250:3130 transparent cert=/path/proxy.example.com.cert key=/path/proxy.example.com.key

You  need to change the “cert=” and the “key=” to point to the correct file set you just created.

reload squid

  • Redirect https traffic to squids https proxy port
iptables -t nat -A PREROUTING -s 192.168.0.0/2 -p tcp --dport 443 -j REDIRECT --to-port 3130

Your transparent proxy on squid for https/ssl is ready to go. However remember every time you open up and https page, the browser will complain about the authenticity of the certificate it received from the proxy server. Even if the certificate is signed, it will not match the web servers dns name. this can be drag all end users.

You may look into an alternative way of enforcing proxy usage all across the network using web proxy auto discovery protocol.

9 thoughts on “Squid transparent proxy for https / ssl traffic

  1. There is a bug in your code. In the line “openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 –keyout proxy.example.com.pem -out proxy.example.com.pem” you are specifying the same output file for the key and the cert. Also, you’ve used a “–” and not a “-“. Otherwise, very helpful.

  2. Squidblacklist.org is the worlds leading publisher of native acl
    blacklists tailored specifically for Squid proxy, and alternative formats for all major third party plugins as well as
    many other filtering platforms. Including SquidGuard, DansGuardian, and ufDBGuard, as well as pfSense and more.

    There is room for better blacklists, we intend to fill that gap.

    It would be our pleasure to serve you.

    Signed,

    Benjamin E. Nichols
    http://www.squidblacklist.org

  3. Title: Configure Squid as HTTP and HTTPS transparent proxy.
    Issue Description: I have install and configured squid3.3.4 in debain machine. To enable squid as HTTPS transparent proxy I have used public signed certificate(from Godaddy) and configured the same in squid.conf file. Once the configuration done I have tried to start the squid but while starting the squid I am getting the following error.
    Error: Squid Cache (Version 3.3.4): Terminated abnormally.
    CPU Usage: 0.020 seconds = 0.000 user + 0.020 sys
    Maximum Resident Size: 22416 KB
    Page faults with physical i/o: 3
    failed!
    Note: The public signed certificate (pem and file) has been converted from tomcat java keystore(certificate) file.
    Squid version: 3.3.4

    Kindly help me to solve this issue.
    Here is my squid.conf configuration.
    ____________________________________________________________
    # Squid.conf

    acl localhost src 127.0.0.1/32 ::1
    acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
    acl ftp proto FTP

    acl localnet src 10.0.0.0/8
    acl localnet src 172.16.0.0/12
    acl localnet src 192.168.0.0/16
    acl connect method CONNECT

    acl blockfiles urlpath_regex “/etc/squid3/block.files.acl”

    http_access deny blockfiles

    acl SSL_ports port 443
    acl SSL_ports port 22
    acl SSL_ports port 21 8443
    acl SSL_ports port 8834 8100
    acl SSL_ports port 7004
    acl SSL_ports port 6667
    acl SSL_ports port 1863
    acl SSL_ports port 5050
    acl SSL_ports port 1863
    acl SSL_ports port 8001 8002 23 25 119 5100 80 1935
    acl Safe_ports port 80
    acl Safe_ports port 81
    acl Safe_ports port 21
    acl Safe_ports port 443
    acl Safe_ports port 70
    acl Safe_ports port 210
    acl Safe_ports port 1025-65535
    acl Safe_ports port 280
    acl Safe_ports port 488
    acl Safe_ports port 591
    acl Safe_ports port 8834
    acl Safe_ports port 777
    #acl YIM_ports port 5050
    #acl YIM_ports port 80
    #acl YIM_ports port 23
    acl CONNECT method CONNECT
    acl HTTPS method CONNECT

    follow_x_forwarded_for allow all

    #http_access allow manager localhost
    #http_access deny manager
    http_access deny !Safe_ports
    http_access deny CONNECT !SSL_ports
    http_access deny to_localhost
    http_access allow localhost
    http_access allow ftp

    #http_access allow ldapauth
    http_access allow localnet

    # Download Limit Size.
    # reply_body_max_size 5000 MB all
    reply_body_max_size 1024 MB

    # Proxy Port Configuration
    #http_port 3128

    http_port 3127
    http_port 3128 intercept
    https_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid3/cert/squidtrans.pem key=/etc/squid3/cert/squidtrans.key
    ssl_bump server-first all

    sslcrtd_program /usr/lib/squid3/ssl_crtd -s /var/lib/ssl_db -M 4MB
    sslcrtd_children 8 startup=1 idle=1

    hierarchy_stoplist cgi-bin ?
    cache_mem 8 MB
    maximum_object_size_in_memory 50 KB

    # Cache Size Limit.
    # cache_dir ufs /var/spool/squid3 1000 16 256

    cache_dir ufs /var/spool/squid3 1024 16 256

    minimum_object_size 8000 KB
    maximum_object_size 500000 KB
    cache_swap_low 90
    cache_swap_high 95
    strip_query_terms off
    coredump_dir /var/spool/squid3

    refresh_pattern ^ftp: 1440 20% 10080
    refresh_pattern ^gopher: 1440 0% 1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
    refresh_pattern . 0 20% 4320
    cache_mgr anitha.m@paladion.net
    mail_program mail

    error_directory /usr/share/squid3/errors/en
    deny_info ERR_BLOCKED_FILES blockfiles

    # dns_nameservers 8.8.8.8

    memory_pools off
    http_access deny all
    #cache_access_log /backup/log/squid3/access.log
    #cache_log /backup/log/squid3/cache.log
    #cache_store_log /tmp/log/squid/store.log
    ____________________________________________________________

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s