我正在尝试让 Squid3.4 使用服务器优先方法进行 SSL Bumping。我遵循本指南在 alpinelinux 中。
我在显式模式下工作(浏览器配置器转到代理),效果很好。我生成了密钥和 CSR,使用 --enable-sel 和 --enable-sel-crtd 选项重建了 squid3,当我从 COMODDO 拿回我的证书(我选择了一个测试证书,有效期为 1 个月以进行 POC)时,我将其放在我的 squid 配置中。
然后我收到以下错误:
Dec 08 08:15:12 proxy squid3[2166]: No valid signing SSL certificate configured for http_port 192.168.10.4:3128
Dec 08 08:15:12 proxy squid3[2136]: Starting Squid HTTP Proxy 3.x: squid3FATAL: No valid signing SSL certificate configured for http_port 192.168.10.4:3128
这是我的 squid3 配置
# Subnet defs in ACL
acl wifi_lan src 192.168.11.0/24
acl dmz_lan dst 192.168.10.0/24 0.0.0.0/32 ::1
acl dmz_lan_nas dst 192.168.10.5
acl dmz_lan_proxy dst 192.168.10.4
# Proto defs in ACL
acl SSL_ports port 443
acl SSL_ports port 5001
acl SSL_ports port 5006
acl SSL_ports port 8443
acl SSL_ports port 8444
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 5001 # Synology DSM
acl Safe_ports port 631 # CUPS
acl CONNECT method CONNECT
acl netflix dstdomain *.netflix.com
acl no_ssl_interception dstdomain .dropbox.com .hotmail.com nas.tourneur.be
# HTTP accesses
no_cache deny dmz_lan
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow dmz_lan_nas
http_access allow dmz_lan_proxy
http_access deny dmz_lan
http_access allow localhost
http_access allow wifi_lan
http_access deny all
# System section
via off
forwarded_for off
pipeline_prefetch on
connect_timeout 20 seconds
coredump_dir /var/spool/squid3
cache_mgr [email protected]
visible_hostname proxy.example.com
access_log syslog:user.warning
# Connector sections
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid3/ssldb -M 4MB
sslcrtd_children 12
redirector_access deny netflix
redirect_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
redirect_children 24
url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf
url_rewrite_children 10 startup=0 idle=1 concurrency=0
cache_peer 127.0.0.1 parent 8118 7 no-query no-digest no-netdb-exchange
cache_peer_access 127.0.0.1 deny netflix
acl ftp proto FTP
always_direct allow netflix
always_direct allow ftp
never_direct allow all
request_header_max_size 32 KB
reply_header_max_size 32 KB
# Cache section
cache_mem 256 MB
maximum_object_size_in_memory 1 MB
cache_dir aufs /var/spool/squid3 16382 16 256
memory_replacement_policy heap LRU
cache_replacement_policy heap LRU
# ssl config
ssl_bump none localhost
ssl_bump none no_ssl_interception
ssl_bump server-first SSL_ports
## Allow server side certificate errors such as untrusted certificates, otherwise the connection is closed for such errors
sslproxy_cert_error allow all
## Accept certificates that fail verification (should only be needed if using 'sslproxy_cert_error allow all')
sslproxy_flags DONT_VERIFY_PEER
http_port 192.168.10.4:3128 ssl-bump cert=/etc/squid3/keys/squid.crt key=/etc/squid3/keys/squid.key generate-host-certificates=on options=NO_SSLv2
知道我做错了什么吗?
谢谢旅游帮助和建议 :)
答案1
为了进行 SSL Bump,您必须使用自签名根证书文件。您提到的 Comodo 证书文件永远都行不通。
当 Squid 代表您联系远程 HTTPS 服务器,然后通过伪造远程站点证书并使用配置的自签名根密钥对其进行签名来模仿安全连接时,SSL Bump 会对 HTTPS 连接进行中间人攻击。您还可以必须在所有浏览器中将此自签名根证书安装为受信任的证书。
答案2
这些是针对 Ubuntu 的步骤,你也可以针对 alpine Linux 采用这些步骤
使用以下选项进行编译
--enable-ssl
--with-openssl
--enable-ssl-crtd
--enable-security-cert-generators="file"
生成 CA 证书和密钥
mkdir /etc/squid/ssl_cert
chow proxy /etc/squid/ssl_cert
cd /etc/squid/ssl_cert
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout myCA.key -out myCA.crt
更新 /etc/squid/squid.conf
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
http_port 3128 ssl-bump cert=/etc/squid/ssl_cert/myCA.crt key=/etc/squid/ssl_cert/myCA.key generate-host-certificates=on dynamic_cert_mem_cache_size=16MB
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/spool/squid/ssl_db -M 4MB
重启squid前生成ssl_db
/usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 4MB
启动 squid
systemctl restart squid