Aeon mike guide transparent ssl filtering (1)
Upcoming SlideShare
Loading in...5
×
 

Aeon mike guide transparent ssl filtering (1)

on

  • 520 views

 

Statistics

Views

Total Views
520
Views on SlideShare
520
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Aeon mike guide transparent ssl filtering (1) Aeon mike guide transparent ssl filtering (1) Document Transcript

  • AEONMike Guide – SQUID 3.3 SSLBUMP under Debian #Michael Cabalin http://www.PH-LWUG.org Pinoy Linux : http://www.facebook.com/groups/117595725078450/ #Install Debian OS #apt-get install build-essential gcc make #wget https://launchpad.net/squid/3.3/3.3.0.3/+download/squid-3.3.0.3.tar.gz #tar xvf squid-3.3.0.3.tar.gz #cd squid-3.3.0.3 ./configure –enable-icap-client –enable-ssl make make install Generate Self Sign • self-signed certificate (pem format) generation : openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout your.company.com.pem -out your.company.com • if needed, you can generate the certificate to import on browsers (to avoid the warnings about the security breach) : openssl x509 -in www.yourcompany.com.pem -outform DER -out www.yourcompany.com.der Onto the actual SQUID configuration. Edit the /etc/squid.conf file to show the following: always_direct allow all ssl_bump allow all http_port 192.9.200.32:3128 transparent
  • #the below should be placed on a single line https_port 192.9.200.32:3129 transparent ssl-bump cert=/etc/squid/ssl_cert/ your.company.com.pem key=/etc/squid/ssl_cert/private/your.company.com.pem Note you may need to change the “cert=” and the “key=” to point to the correct file in your environment. Also of course you will need to change the IP address The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: http://www.squid-cache.org/Doc/config/always_direct/ The second directive (ssl_bump) instructs the proxy to allow all SSL connections, but this can be modified to restirct access. You can also use the “sslproxy_cert_error” to deny access to sites with invalid certificates. More details on this here: http://wiki.squid-cache.org/Features/SslBump Start squid and check for any errors. If no errors are reported, run: netstat -nap | grep 3129 to make sure the proxy is up and running. Next, configure iptables to perform destination NAT, basically to redirect the traffic to the proxy: iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 192.9.200.32:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination 192.9.200.32:3129 Last thing to be done was to either place the proxy physically in line with the traffic or to redirect the traffic to the proxy using a router. Keep in mind that the proxy will change the source IP address of the requests to it’s own IP. In other words, by default it does not reflect the client IP. That was it in my case. I did try to implement something similar to the above but using explicit mode. This was my squid.conf file, note only one port is needed for both HTTP and HTTPS since HTTPS is tunneled over HTTP using the CONNECT method:
  • always_direct allow all ssl_bump allow all #the below should be placed on a single line http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem SSL Filtering example SQUID.Conf • Squid configuration (squid.conf) : I post here only important parts. acl … acl … # you must have CONNECT acl acl CONNECT method CONNECT acl metrobank dstdomain www.metrobank.com.ph acl securitybank dstdomain www.securitybank.com.ph # maybe not in the future, but we need this : always_direct allow all # permissions sections (allow / deny) http_access allow… http_access allow…
  • http_access allow… http_access deny … http_access deny … http_access deny … # some sites need this : sslproxy_cert_error allow metrobank #sslproxy_flags DONT_VERIFY_PEER # ssl_bump means that you want to intercept (MITM) this SSL connection ssl_bump allow metrobank ssl_bump allow securitybank # and we don’t want to intercept others SSL sites : ssl_bump deny all # now, you can tell Squid you want to forbid theses HTTPS url : … http_access allow localnet http_access allow localhost http_access deny all # tell Squid you want to intercept SSL # /! SSL interception is not compatible with transparent proxy # so DON’T write here ‘intercept’ (new name for ‘transparent’) http_port 3128 ssl-bump cert=/path/to/your/self- signed/cert/www.yourcompany.com.pem