I want to use local squid for SSL decoding in multistage proxy configuration

Asked 2 years ago, Updated 2 years ago, 101 views

Currently, there is a requirement to SSL decode on a locally booted squid, starting with the following configuration:

 | ----- Local PC --------- |
|                   |
| Browser-->squid-|-->proxy-->Internet 
|                   |
|-------------------|

You need to go through another proxy to get to the Internet.
Because this proxy requires recognition, we set the following in the cache_peer directive in squid.conf:

acl intermediate_fetching transaction_initiator certificate-fetching 
acl localnet src 10.0.0.0/8 
acl localnet src 172.16.0.0/12  
acl localnet src 192.168.0.0/16 
acl localnet srcfc00::/7       
acl localnet srcfe80::/10      
acl SSL_ports port443
acl Safe_ports port 80      
aclSafe_ports port21      
aclSafe_ports port443     
acl Safe_ports port 70      
acl Safe_ports port 210     
acl Safe_ports port 1025-65535  
acl Safe_ports port 280     
aclSafe_ports port488     
acl Safe_ports port 591     
aclSafe_ports port777     
acl CONNECT method CONNECT
aclssl_exclude_domains ssl::server_name "/cygdrive/c/squid/etc/squid/ssl_exclude_domains.conf"  
aclssl_exclude_ips dst "/cygdrive/c/squid/etc/squid/ssl_exclude_ips.conf" 
acl fileupload req_mime_type-i^multipart/form-data$
acl filedownload rep_mime_type-i^multipart/form-data$
acl fileupload2 req_header Content-Type-i^multipart/form-data$
http_access deny fileupload
http_access deny filedownload
http_access deny fileupload2
http_access allow localhost manager
http_access deny manager
US>http_access deny! Safe_ports
http_access deny CONNECT!SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
cache_peer 192.168.0.1 parent810 no-query login=myusername:mypassword#192.168.0.1 is company proxy 
http_port3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/cygdrive/c/squid/etc/squid/mica.crt key=/cygdrive/c/squid/squid/mica.pem
coredump_dir/var/cache/squid
refresh_pattern^ftp —1440 20% 10080
refresh_pattern^gopher —14400% 1440
refresh_pattern-i(/cgi-bin/|\?) 0% 0
refresh_pattern.0 20% 4320
dns_nameservers 8.8.8.8 208.67.222.222
max_filed descriptors 3200
ssl_bump bump all 
on_unsupported_protocol tunnel all 
sslcrtd_program/cygdrive/c/squid/lib/squid/security_file_certgen-s/cygdrive/c/squid/var/cache/squid_ssldb-M 4MB 
sslproxy_cert_error allow all 
cache deny all

When you set your browser proxy settings to the local squid and request to any https site (example) https://www.google.com), an error screen for "The requested URL could not be returned" appears.

If anyone knows how to solve this problem, please take care of it.

squid

2022-09-30 15:46

2 Answers

Since you have not set always_direct deny all, never_direct allow all, you may be trying to connect directly from Squid to the web server, resulting in an error.

However, even with the above configuration, when connecting to the parent proxy with the original CONNECT as GET with ssl-bump, I think it will fail to connect with GET (HTTPS) instead of CONNECT (ssl-bump+cache_peer is what we call reverse proxy behavior).

SSL Bumping CONNECT With Acache_peer

on_unsupported_protocol tunnel all should be converted to CONNECT, but it doesn't seem to be.
There may be another way, but I didn't know.

2022-09-30 15:46

Requirements for SSL Decoding on Locally Launched Squid

It's impossible to read this part alone.Should I check the requirements?SSL decoding means converting https communication to http.

To decode square-WebServer to http

Many things are impossible to realize.
Specifically, if you enter https://www.google.com in Browser, Squid decodes and communicates between squid-google via http://www.google.com.However, Google will not allow communication because it is not secure.
If you could communicate in plaintext, squid would need to encrypt with a certificate named www.google.com.However, there is no such certificate, so it cannot be encrypted.

To decode the browser-squid to http

Enter http://www.google.com on Browser to communicate https between squid-google and decode browser-squid to http.However, many sites use JavaScript on Browser, and if the URL on Browser is changed to http://www.google.com instead of https://www.google.com, it will not work properly.
And

If you set your browser's proxy settings to the local squid and request them to any https site (example) https://www.google.com)

It says.The test content does not meet the requirements in the first place.

2022-09-30 15:46

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

589 Scrap text information after the "View More" button when searching in the Yahoo! News search window

574 Who developed the "avformat-59.dll" that comes with FFmpeg?

1022 In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

911 When building Fast API+Uvicorn environment with PyInstaller, console=False results in an error

578 Understanding How to Configure Google API Key

© 2024 OneMinuteCode. All rights reserved.