Project

General

Profile

Actions

Feature #9700

open

Secure Squid HTTPS Proxy

Added by Kyle Klouzal over 4 years ago. Updated about 2 years ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
08/26/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

As described here: https://forum.netgate.com/topic/145940/secure-squid-https-proxy
Squid Documentation: http://www.squid-cache.org/Doc/config/https_port/

Allow advanced/alternate configuration within Squid Web GUI to enable and configure squid https_port directive.

Modern browsers have supported secure proxy connections through WPAD and PAC file scripts for a couple years now.

This would involve adding a new configuration block inside Services->Squid->General after "Squid General Settings" and before "Transparent Proxy Settings". This new configuration block would be called "Secure Proxy Settings" and have the following configuration options:
Enable Secure Proxy - Check Box - Enable/Disable use of 'https_port' configuration directive in squid.conf.
Secure Proxy Port - Number Entry - Port number to use during setup of 'https_port' for secure proxy connections.
Certificate - Dropdown - Certificate to use during setup of 'https_port'. Lists current certificates on system.
Other options may be supplied as deemed necessary.

Actions #1

Updated by Kyle Klouzal about 2 years ago

Selecting 'transparent' mode adds the 'https_port' directive into configs but also adds 'intercept' which is undesired.. Any update on this..?

Actions #2

Updated by Viktor Gurov about 2 years ago

  • Status changed from New to Feedback

This would involve adding a new configuration block inside Services->Squid->General after "Squid General Settings" > and before "Transparent Proxy Settings". This new configuration block would be called "Secure Proxy Settings" and have the following configuration options:
Enable Secure Proxy - Check Box - Enable/Disable use of 'https_port' configuration directive in squid.conf.
Secure Proxy Port - Number Entry - Port number to use during setup of 'https_port' for secure proxy connections.
Certificate - Dropdown - Certificate to use during setup of 'https_port'. Lists current certificates on system.
Other options may be supplied as deemed necessary.

Already implemented

Kyle Klouzal wrote in #note-1:

Selecting 'transparent' mode adds the 'https_port' directive into configs but also adds 'intercept' which is undesired.. Any update on this..?

Unable to reproduce - enabling 'transparent' mode only adds 'intercept' option, but not 'https_port'
pfSense-pkg-squid 0.4.45_7

Actions #3

Updated by Kyle Klouzal about 2 years ago

/usr/local/etc/squid/squid.conf output

before enabling 'transparent' mode:

  1. This file is automatically generated by pfSense
  2. Do not edit manually !

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
...

after enabling 'transparent' mode:

  1. This file is automatically generated by pfSense
  2. Do not edit manually !

http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE

'intercept' mode is undesirable..
http://www.squid-cache.org/Doc/config/https_port/
http://www.squid-cache.org/Doc/config/http_port/

IP-Layer NAT interception delivering traffic to this Squid port, NP: disables authentication on the port.

All web traffic immediately starts flowing into squid in intercept mode. Desired approach is to use WPAD/PAC file to point clients to the proxy server.
a 'https_port' config directive without intercept/tproxy is required to enable ssl connection to proxy server facilitated via WPAD/PAC file.

Actions

Also available in: Atom PDF