Skip to content

Instantly share code, notes, and snippets.

@paraita
Last active November 10, 2021 16:40
Show Gist options
  • Save paraita/e089d1b6c4d36aaa2b36272995220c85 to your computer and use it in GitHub Desktop.
Save paraita/e089d1b6c4d36aaa2b36272995220c85 to your computer and use it in GitHub Desktop.
Squid 3.5.0.4 http+https basic auth + ssl bump
# #### pre-requisites ####
# I use the following Dockerfile for Squid:
# https://hub.docker.com/r/jamesyale/squid-sslbump/ to deploy the proxy
# Replace the existing /etc/squid/squid.ssl.conf with this file
# Create the users credentials with htpasswd (yum install httpd-tools)
# htpasswd [-c] /etc/squid/squidusers username
# -с is to create a new file, not to change the existing file
# Use the following command to test the user/pass:
# /usr/lib64/squid3/basic_ncsa_auth /etc/squid/squidusers
# provide <user> <password> at the prompt, for example:
# paraita wrong_password
# ERR Wrong password
# paraita good_password
# OK
# Ctrl-D
# Make sure squid can read the credentials file:
# chmod o+r /etc/squid/squidusers
# Make sure the following folder exist and is readable
# by everyone:
# /var/spool/squid/ssl_db
# Generate the certificate:
# openssl req -new -newkey rsa:2048 \
# -sha256 -days 365 -nodes \
# -extensions v3_ca -x509 \
# -keyout /etc/squid/ssl.pem \
# -out /etc/squid/ssl.pem
# tell Squid what tool to validate user provided credentials
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squidusers
# http/https proxy port
http_port 3128 ssl-bump cert=/etc/squid/ssl.pem \
generate-host-certificates=on \
dynamic_cert_mem_cache_size=4MB
# auth rule
acl onzelist proxy_auth REQUIRED
http_access allow onzelist
# deny https so it falls back to the auth rule
acl SSL_ports port 443
acl SSL_ports port 832
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports
coredump_dir /var/spool/squid
cache_dir ufs /var/spool/squid 2048 16 256
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid/ssl_db -M 4MB
sslcrtd_children 5
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment