Hi.
I would like to implement web filtering via ICAP on a Squid proxy. In order to filter HTTPS traffic SSL inspection is required.
I'm using CentOS7 and Squid 3.3.8. ssl-bump is used for ssl inspection.
Everything is working fine in my test environment with direct internet access.
The problem is in my work environment any internet access should use an upstream proxy server I don't control. All the guides on ssl inspection implementation on Squid, I found require the following instruction in squid.conf:
Code:
always_direct allow all
That instruction contradicts with
Code:
never_direct allow all
I see in every guide on redirecting to a parent proxy.
My current squid.conf follows. Is it even possible to enable SSL inspection with an upstream proxy in mind? Could someone please guide me through that configuration if possible?
Code:
#
# Recommended minimum configuration:
#
#ssl inspection
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myCA.pem
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_error allow all
always_direct allow all
ssl_bump client-first all
ssl_bump server-first all
ssl_bump none all
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
#DC auth
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -s HTTP/squid.cpiw.local
auth_param negotiate children 20 startup=0 idle=1
auth_param negotiate keep_alive on
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 192.168.21.0/24
acl localnet src 192.168.26.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl auth proxy_auth REQUIRED
cache deny all
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow auth
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
#http_port 3128
# parent proxy
#cache_peer cp.cpiw.local parent 3128 0 proxy-only no-query no-digest
#never_direct allow all
# Uncomment and adjust the following to add a disk cache directory.
#cache_dir ufs /var/spool/squid 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname squid.cpiw.local
#icap
icap_enable on
icap_service service_req reqmod_precache bypass=1 icap://192.168.21.31:1344/request
adaptation_access service_req allow all
icap_send_client_ip on
icap_send_client_username on
#TAG: debug_options
#debug_options ALL,5