Install and configure Squid with SSL Bumping

-

Random sketches: 

this is to solve the problem that a WS2012R2 server can't connect to an AWS server because of cipher suites mismatch. The WS2012R2 will never get that cipher suites so..

install from source (squid 5.5). on paravirtualized add --disable-arch-native

  • apt-get install build-essential openssl libssl-dev pkg-config
  • ./configure --with-default-user=proxy --with-openssl --enable-ssl-crtd
  • make
  • make install

Squid.conf:


acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
#cache_peer NEXT_PROXY_IP parent PORT_NEXT_PROXY 0 no-query default
#acl all src 10.0.0.0/24
http_access allow all
never_direct allow all
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl my_localnet src 10.10.10.0/24
acl blocklist dstdomain "/etc/squid/domain_blacklist.txt"
http_access deny blocklist
http_access allow all
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny to_localhost
#include /etc/squid/conf.d/*
http_access allow localhost
http_access deny all
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /usr/local/squid/var/logs/ssl_db -M 4MB
coredump_dir /usr/local/squid/var/cache/squid
cache_dir ufs /usr/local/squid/var/cache/squid 1000 16 256 # 1GB as Cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

generate CA:
 
cd /etc/squid
mkdir ssl_cert
chown proxy:proxy ssl_cert
chmod 700 ssl_cert
cd ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout myCA.pem  -out myCA.pem
ls
openssl x509 -in myCA.pem -outform DER -out myCA_for_client.der


/usr/local/squid/libexec/security_file_certgen -c -s /usr/local/squid/var/logs/ssl_db -M 4MB
chown proxy:proxy /usr/local/squid/var/logs/ssl_db -R


install myCa_for_client.der as a CA in your client os. point to the proxy server

Commenti

Posta un commento

Post popolari in questo blog

Teams Incoming Webhook deprecated: Use PowerAutomate - Workflow

-
Since is not possible configure Classic Teams Webhook (deprecated, and it does not work from teams gui), I just created a workflow for "Gatus" monitoring application.  goto: https://make.powerautomate.com/ go to My flows > New flow > instant cloud flow     select "When a Teams webhook request is received" > create               configure: "Who can trigger the flow" > anyone add an action, search for:            post message in a chat or channel          configure:               "post as": flow bot               "post in": channel               "team": dropdown select team               "channel": dropdown select channel               "content":  Content: @...
Continua a leggere

Mysql operator S3 innodbcluster backup SECRET CONFIG

-
[ERROR] [backup] Backup failed with an exception: Util.dump_instance: Argument #2: The AWS access and secret keys were not found in: environment variables     mysql do not provide a good documentation about mysql operator. ORACLE WANT YOU TO USE OCI! USE OCI cmon.  mysql operator wants aws "cretentials" file down the "/mysqlsh/.aws folder, it does this in pod through VolumeMount the secret file, nothing about to worry about.  PS: If you are trying to backup to an s3 endpoint with self signed or with private ca certificate, loose all hopes. I do not find a solution about that.  cat secret   [default]   aws_access_key_id=REDACTED aws_secret_access_key=REDACTED cat secret | base64 -w 0 W2RlZmF1bHRdIAphd3NfYWNjZXNzX2tleV9pZD1SRURBQ1RFRAphd3Nfc2VjcmV0X2FjY2Vzc19rZXk9UkVEQUNURUQKCg==                            ...
Continua a leggere

Fedora - KVM - qemu - Windows 11 guest. error: swtpm at /usr/bin/swtpm does not support TPM 2

-
 you cannot create and execute VM: Windows 11 Guest in Fedora 40?  it's SELINUX. you can disable SELINUX or create a rule to avoid the TPM problem. we choose the second one.  check sudo ausearch -c 'virtqemud' --raw or sudo ausearch -m avc -ts recent if results appear, go on solution: sudo ausearch -m avc -ts recent | grep virtqemud | sudo audit2allow -M local_virtqemud sudo semodule -i local_virtqemud.pp systemctl restart libvirtd
Continua a leggere