Enhancement #2977
Proxy: intercept SSL connections (SSL transparent)
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-squid | |||
| Target version: | v6.5 | |||
| Resolution: | NEEDINFO: | No |
Description
- a squid port
- an initial cert db setup
- a custom certificate
- a firewall redirection rule
But actual implementation of SSL proxy doesn't correctly work on some sites.
For example, Facebook can be accessed using Firefox but not using Chrome.
Special crafted certificate with doesn't resolve the issue (issuer set to *).
- creation of /var/lib/ssl_db directory
/usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db chown -R squid:squid /var/lib/ssl_db
- avoid ssl bump for localhost (
ssl_bump none localhost) - use
DONT_VERIFY_PEERoption - add a list of sites where ssl bump is disabled; the list must include:
- custom sites from a comma separated property
SSLBypass - well known sites for Windows update:
images.metaservices.microsoft.com
crl.microsoft.com
.update.microsoft.com
www.download.windowsupdate.com
windowsupdate.microsoft.com
sls.microsoft.com
redir.metaservices.microsoft.com
wustat.windows.com
productactivation.one.microsoft.com
download.windowsupdate.com
c.microsoft.com
.urs.microsoft.com
ntservicepack.microsoft.com
.download.microsoft.com
- custom sites from a comma separated property
Associated revisions
db defaults: add SSLBypass property. Refs #2977
ACL: add SSL bypass. Refs #2977
spec: requires nethserver-httpd. Refs #2977
Web UI: publish SSL CA cert for download. Refs #2977
config action: force link creation. Refs #2977
squid.conf template: refactor bypass_ssl acl. Refs #2977
squid.conf: bypass url rewriter for sites in bypass_ssl acl. Refs #2977
History
#1
Updated by Giacomo Sanchietti over 6 years ago
- Category set to nethserver-squid
- Status changed from NEW to TRIAGED
- Target version set to v6.5
- % Done changed from 0 to 20
#2
Updated by Giacomo Sanchietti over 6 years ago
- Description updated (diff)
#3
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#5
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
nethserver-squid-1.2.1.1-9.0git8bdac6ba.ns6.noarch.rpm- nethserver-squid-1.2.1.1-13.0git6879b481.ns6.noarch.rpm
- Install the updated release
- Check
/var/lib/ssl_dbhas been created - Enable SSL transparent mode
- Download the certificate into the client: the certificate is available inside the configuration page or at http://<green_ip>/proxy.crt
- Try to open an SSL site
- Add a site into SSL bypass:
config setprop squid SSLBypass www.google.com signal-event nethserver-squid-update
- Check the site is present inside
/etc/squid/acls/ssl_bypass.aclfile
#6
Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
[root@localhost ~]# ls -ld /var/lib/ssl_db/ drwxr-xr-x. 3 squid squid 4096 Dec 11 17:34 /var/lib/ssl_db/
Opening a bumped website, the ssl browser icon is not green and details reveal that the cert is coming from nethserver, but everything's working as expected.
Two notes:
facebook can't be accessed because of a "broken" certificate.
A more useful example of a bypass would be:
config setprop squid SSLBypass .dropbox.com
(note the dot, squid syntax)
#7
Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- squid-3.3.13-1.el6.x86_64.rpm
- nethserver-squid-1.3.0-1.ns6.noarch.rpm