SSL inspection on downstream Squid proxy

mawile · 03-22-2016, 01:25 AM

Hi.
I would like to implement web filtering via ICAP on a Squid proxy. In order to filter HTTPS traffic SSL inspection is required.
I'm using CentOS7 and Squid 3.3.8. ssl-bump is used for ssl inspection.
Everything is working fine in my test environment with direct internet access.

The problem is in my work environment any internet access should use an upstream proxy server I don't control. All the guides on ssl inspection implementation on Squid, I found require the following instruction in squid.conf:

Code:

always_direct allow all

That instruction contradicts with

Code:

never_direct allow all

I see in every guide on redirecting to a parent proxy.

My current squid.conf follows. Is it even possible to enable SSL inspection with an upstream proxy in mind? Could someone please guide me through that configuration if possible?

Code:

#
# Recommended minimum configuration:
#

#ssl inspection
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
always_direct allow all
ssl_bump client-first all
ssl_bump server-first all
ssl_bump none all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB

#DC auth
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/squid.cpiw.local
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive on

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.21.0/24
acl localnet src 192.168.26.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED

cache deny all
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow auth
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
#http_port 3128

# parent proxy
#cache_peer cp.cpiw.local parent 3128 0 proxy-only no-query no-digest
#never_direct allow all

# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

visible_hostname squid.cpiw.local


#icap
icap_enable on
icap_service service_req reqmod_precache bypass=1 icap://192.168.21.31:1344/request
adaptation_access service_req allow all
icap_send_client_ip on
icap_send_client_username on



#TAG: debug_options
#debug_options ALL,5

mawile · 03-22-2016, 10:49 AM

Answering my own question, there is no way to do so.
As of now there is no version of Squid, supporting redirect to an upstream proxy, after an SSL inspection.
A feature request hangs for almost 8 years already on the bug tracker without an implementation. It should be totally possible, but no one cared enough to implement.

9acca9 · 08-08-2016, 04:14 PM

Please, can you give me a hand??
Im using centos 7 and squid 3.3.8, like you... but i cannot get working with https......
i have this config in squid.conf

Quote:

# Squid listen Port
http_port 192.168.1.215:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid/example.com.private cert=/etc/squid/example.com.cert
# SSL Bump Config
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error deny all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1

And this in access.log

Quote:

192.168.1.172 TCP_HIT/200 52543 GET http://www.silencio.com.ar/wp-conten...39-540x386.jpg - HIER_NONE/- image/jpeg
192.168.1.172 TCP_HIT/200 49912 GET http://www.silencio.com.ar/wp-conten...ro-540x386.jpg - HIER_NONE/- image/jpeg
192.168.1.172 TCP_HIT/200 43804 GET http://www.silencio.com.ar/wp-conten...12-540x386.jpg - HIER_NONE/- image/jpeg
192.168.1.172 TCP_DENIED/200 0 CONNECT www.google-analytics.com:443 - HIER_NONE/- -
192.168.1.172 TCP_MISS/301 807 GET http://www.youtube.com/ - HIER_DIRECT/64.233.186.91 text/html
192.168.1.172 NONE/200 0 CONNECT www.youtube.com:443 - HIER_DIRECT/64.233.186.91 -
192.168.1.172 NONE/200 0 CONNECT blocklist.addons.mozilla.org:443 - HIER_DIRECT/52.35.149.230 -

I import the example.com.cert to the webbrowser and then any web https i go i get "The proxy server is refusing connections". if not https go well.

What can i do?????

Please a hand... im going crazy with this.