Feature #9700
open
Secure Squid HTTPS Proxy
0%
Description
As described here: https://forum.netgate.com/topic/145940/secure-squid-https-proxy
Squid Documentation: http://www.squid-cache.org/Doc/config/https_port/
Allow advanced/alternate configuration within Squid Web GUI to enable and configure squid https_port directive.
Modern browsers have supported secure proxy connections through WPAD and PAC file scripts for a couple years now.
This would involve adding a new configuration block inside Services->Squid->General after "Squid General Settings" and before "Transparent Proxy Settings". This new configuration block would be called "Secure Proxy Settings" and have the following configuration options:
Enable Secure Proxy - Check Box - Enable/Disable use of 'https_port' configuration directive in squid.conf.
Secure Proxy Port - Number Entry - Port number to use during setup of 'https_port' for secure proxy connections.
Certificate - Dropdown - Certificate to use during setup of 'https_port'. Lists current certificates on system.
Other options may be supplied as deemed necessary.
Updated by Kyle Klouzal almost 3 years ago
Selecting 'transparent' mode adds the 'https_port' directive into configs but also adds 'intercept' which is undesired.. Any update on this..?
Updated by Viktor Gurov almost 3 years ago
- Status changed from New to Feedback
This would involve adding a new configuration block inside Services->Squid->General after "Squid General Settings" > and before "Transparent Proxy Settings". This new configuration block would be called "Secure Proxy Settings" and have the following configuration options:
Enable Secure Proxy - Check Box - Enable/Disable use of 'https_port' configuration directive in squid.conf.
Secure Proxy Port - Number Entry - Port number to use during setup of 'https_port' for secure proxy connections.
Certificate - Dropdown - Certificate to use during setup of 'https_port'. Lists current certificates on system.
Other options may be supplied as deemed necessary.
Already implemented
Kyle Klouzal wrote in #note-1:
Selecting 'transparent' mode adds the 'https_port' directive into configs but also adds 'intercept' which is undesired.. Any update on this..?
Unable to reproduce - enabling 'transparent' mode only adds 'intercept' option, but not 'https_port'
pfSense-pkg-squid 0.4.45_7
Updated by Kyle Klouzal almost 3 years ago
/usr/local/etc/squid/squid.conf output
before enabling 'transparent' mode:
- This file is automatically generated by pfSense
- Do not edit manually !
http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
...
after enabling 'transparent' mode:
- This file is automatically generated by pfSense
- Do not edit manually !
http_port 192.168.1.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
http_port 127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
https_port 127.0.0.1:3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=10MB cert=/usr/local/etc/squid/serverkey.pem cafile=/usr/local/share/certs/ca-root-nss.crt capath=/usr/local/share/certs/ cipher=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS tls-dh=prime256v1:/etc/dh-parameters.2048 options=NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE
'intercept' mode is undesirable..
http://www.squid-cache.org/Doc/config/https_port/
http://www.squid-cache.org/Doc/config/http_port/
IP-Layer NAT interception delivering traffic to this Squid port, NP: disables authentication on the port.
All web traffic immediately starts flowing into squid in intercept mode. Desired approach is to use WPAD/PAC file to point clients to the proxy server.
a 'https_port' config directive without intercept/tproxy is required to enable ssl connection to proxy server facilitated via WPAD/PAC file.