參考網站:
SQUID Transparent Proxy (HTTP+HTTPs)
設定SQUID 成為 HTTP/HTTPS 代理伺服器及啟動 ICAP client功能
Jedi Linuxer: 利用 Squid 代理伺服器(Proxy)分析 HTTPS 連線內容
Configure Squid as HTTP and HTTPS Transparent Proxy
Configure squid-3.3 in transparent mode on CentOS 7 with SSL bum – Notes Wiki
CentOS 7.x x64
NAT Client:192.168.1.0/24
NAT Server:192.168.1.254
1. 安裝 perl-Crypt-OpenSSL-X509 套件
# yum install perl-Crypt-OpenSSL-X509 –enablerepo=epel
2. 初始化 Squid SSL DB
# /usr/lib64/squid/ssl_crtd -c -s /var/lib/ssl_db
Initialization SSL db…
Done[@more@]
3. 改變擁有者及群組
# chown -R squid.squid /var/lib/ssl_db
4. 如果有開啟 SELinux
# chcon -R -u system_u -t squid_conf_t /var/lib/ssl_db
5. 修改 /etc/squid/squid.conf
僅列出特別修改的地方
# vim /etc/squid/squid.conf
http_port 3130
http_port 3128 intercept
http_port 3129 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem key=/etc/squid/ssl_cert/myca.pem
#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
coredump_dir /var/spool/squid
shutdown_lifetime 1 second
6. 使用 OpenSSL 來建立 Squid 憑證
# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.$(date +%F)
# vim /etc/pki/tls/openssl.cnf
default_days = 1365 # how long to certify for
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = TW
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Yilan
localityName = Locality Name (eg, city)
localityName_default = TouCheng
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Elementary School
# we can do this but it is not needed normally 🙂
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Proxy Server
commonName = Common Name (eg, your name or your server’s hostname)
commonName_default = proxy.test.ilc.edu.tw
commonName_max = 64
emailAddress = test@gmail.com
emailAddress_max = 64
7. 建立目錄
# mkdir /etc/squid/ssl_cert
8. 改變目錄擁有者及群組
# chown -R squid.squid /etc/squid/ssl_cert
9. 切換目錄
# cd /etc/squid/ssl_cert
10. 建立 Server Key,按 Enter 鍵即可
# openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout myca.pem -out myca.pem
Generating a 1024 bit RSA private key
………………………………………..++++++
………++++++
writing new private key to ‘myca.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [TW]:
State or Province Name (full name) [Yilan]:
Locality Name (eg, city) [TouCheng]:
Organization Name (eg, company) [Elementary School]:
Organizational Unit Name (eg, section) [Proxy Server]:
Common Name (eg, your name or your server’s hostname) [proxy.test.ilc.edu.tw]:
test@gmail.com []:
11. 建立 Windows Client Key
# openssl x509 -in myca.pem -outform DER -out myca.der
12. 修改防火牆設定
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 –dport 80 -j DNAT –to 192.168.1.254:3128
# iptables -t nat -A PREROUTING -p tcp -s 192.168.1.0/24 –dport 443 -j DNAT –to 192.168.1.254:3129