Enhancement #2977

Proxy: intercept SSL connections (SSL transparent)

Added by Giacomo Sanchietti almost 5 years ago. Updated over 4 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.5
Resolution: NEEDINFO:No

Description

Transparent interception of SSL traffic needs:
  • a squid port
  • an initial cert db setup
  • a custom certificate
  • a firewall redirection rule

But actual implementation of SSL proxy doesn't correctly work on some sites.
For example, Facebook can be accessed using Firefox but not using Chrome.

Special crafted certificate with doesn't resolve the issue (issuer set to *).

So, we go with these modifications:
  • creation of /var/lib/ssl_db directory
    /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
    chown -R squid:squid /var/lib/ssl_db
    
  • avoid ssl bump for localhost (ssl_bump none localhost)
  • use DONT_VERIFY_PEER option
  • add a list of sites where ssl bump is disabled; the list must include:
    • custom sites from a comma separated property SSLBypass
    • well known sites for Windows update:
      images.metaservices.microsoft.com
      crl.microsoft.com
      .update.microsoft.com
      www.download.windowsupdate.com
      windowsupdate.microsoft.com
      sls.microsoft.com
      redir.metaservices.microsoft.com
      wustat.windows.com
      productactivation.one.microsoft.com
      download.windowsupdate.com
      c.microsoft.com
      .urs.microsoft.com
      ntservicepack.microsoft.com
      .download.microsoft.com

Associated revisions

Revision 532de0e4
Added by Giacomo Sanchietti almost 5 years ago

db defaults: add SSLBypass property. Refs #2977

Revision 64c85b12
Added by Giacomo Sanchietti almost 5 years ago

ACL: add SSL bypass. Refs #2977

Revision 4c787a84
Added by Giacomo Sanchietti almost 5 years ago

spec: requires nethserver-httpd. Refs #2977

Revision e1d20f56
Added by Giacomo Sanchietti almost 5 years ago

Web UI: publish SSL CA cert for download. Refs #2977

Revision 8bdac6ba
Added by Giacomo Sanchietti almost 5 years ago

config action: force link creation. Refs #2977

Revision 29505fa9
Added by Giacomo Sanchietti almost 5 years ago

squid.conf template: refactor bypass_ssl acl. Refs #2977

Revision 6879b481
Added by Giacomo Sanchietti almost 5 years ago

squid.conf: bypass url rewriter for sites in bypass_ssl acl. Refs #2977

Revision ae188656
Added by Giacomo Sanchietti almost 5 years ago

shorewall: fix transparent ssl proxy on blue. Refs #2964 #2977

Revision 9419b842
Added by Giacomo Sanchietti almost 5 years ago

squid.conf: fix template logic. Refs #2977 #2964

History

#1 Updated by Giacomo Sanchietti almost 5 years ago

  • Category set to nethserver-squid
  • Status changed from NEW to TRIAGED
  • Target version set to v6.5
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti almost 5 years ago

  • Description updated (diff)

#3 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti almost 5 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-squid-1.2.1.1-9.0git8bdac6ba.ns6.noarch.rpm
  • nethserver-squid-1.2.1.1-13.0git6879b481.ns6.noarch.rpm
Test case 1
  • Install the updated release
  • Check /var/lib/ssl_db has been created
  • Enable SSL transparent mode
  • Download the certificate into the client: the certificate is available inside the configuration page or at http://<green_ip>/proxy.crt
  • Try to open an SSL site
Test case 2
  • Add a site into SSL bypass:
    config setprop squid SSLBypass www.google.com
    signal-event nethserver-squid-update
    
  • Check the site is present inside /etc/squid/acls/ssl_bypass.acl file

#6 Updated by Filippo Carletti almost 5 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90
[root@localhost ~]# ls -ld /var/lib/ssl_db/
drwxr-xr-x. 3 squid squid 4096 Dec 11 17:34 /var/lib/ssl_db/

Opening a bumped website, the ssl browser icon is not green and details reveal that the cert is coming from nethserver, but everything's working as expected.

Two notes:
facebook can't be accessed because of a "broken" certificate.
A more useful example of a bypass would be:
config setprop squid SSLBypass .dropbox.com
(note the dot, squid syntax)

#7 Updated by Giacomo Sanchietti over 4 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • squid-3.3.13-1.el6.x86_64.rpm
  • nethserver-squid-1.3.0-1.ns6.noarch.rpm

Also available in: Atom PDF