Last active
November 10, 2021 16:40
-
-
Save paraita/e089d1b6c4d36aaa2b36272995220c85 to your computer and use it in GitHub Desktop.
Squid 3.5.0.4 http+https basic auth + ssl bump
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# #### pre-requisites #### | |
# I use the following Dockerfile for Squid: | |
# https://hub.docker.com/r/jamesyale/squid-sslbump/ to deploy the proxy | |
# Replace the existing /etc/squid/squid.ssl.conf with this file | |
# Create the users credentials with htpasswd (yum install httpd-tools) | |
# htpasswd [-c] /etc/squid/squidusers username | |
# -с is to create a new file, not to change the existing file | |
# Use the following command to test the user/pass: | |
# /usr/lib64/squid3/basic_ncsa_auth /etc/squid/squidusers | |
# provide <user> <password> at the prompt, for example: | |
# paraita wrong_password | |
# ERR Wrong password | |
# paraita good_password | |
# OK | |
# Ctrl-D | |
# Make sure squid can read the credentials file: | |
# chmod o+r /etc/squid/squidusers | |
# Make sure the following folder exist and is readable | |
# by everyone: | |
# /var/spool/squid/ssl_db | |
# Generate the certificate: | |
# openssl req -new -newkey rsa:2048 \ | |
# -sha256 -days 365 -nodes \ | |
# -extensions v3_ca -x509 \ | |
# -keyout /etc/squid/ssl.pem \ | |
# -out /etc/squid/ssl.pem | |
# tell Squid what tool to validate user provided credentials | |
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squidusers | |
# http/https proxy port | |
http_port 3128 ssl-bump cert=/etc/squid/ssl.pem \ | |
generate-host-certificates=on \ | |
dynamic_cert_mem_cache_size=4MB | |
# auth rule | |
acl onzelist proxy_auth REQUIRED | |
http_access allow onzelist | |
# deny https so it falls back to the auth rule | |
acl SSL_ports port 443 | |
acl SSL_ports port 832 | |
acl CONNECT method CONNECT | |
http_access deny CONNECT !SSL_ports | |
coredump_dir /var/spool/squid | |
cache_dir ufs /var/spool/squid 2048 16 256 | |
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid/ssl_db -M 4MB | |
sslcrtd_children 5 | |
acl step1 at_step SslBump1 | |
ssl_bump peek step1 | |
ssl_bump bump all |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment