paraita/squid.ssl.conf

## squid.ssl.conf
# #### pre-requisites ####
# I use the following Dockerfile for Squid:
#  https://hub.docker.com/r/jamesyale/squid-sslbump/ to deploy the proxy
# Replace the existing /etc/squid/squid.ssl.conf with this file
# Create the users credentials with htpasswd (yum install httpd-tools)
#  htpasswd [-c] /etc/squid/squidusers username
#   -с is to create a new file, not to change the existing file
# Use the following command to test the user/pass:
#  /usr/lib64/squid3/basic_ncsa_auth /etc/squid/squidusers
#   provide <user> <password> at the prompt, for example:
#     paraita wrong_password
#     ERR Wrong password
#     paraita good_password
#     OK
#     Ctrl-D
# Make sure squid can read the credentials file:
#  chmod o+r /etc/squid/squidusers
# Make sure the following folder exist and is readable
# by everyone:
#  /var/spool/squid/ssl_db
# Generate the certificate:
#  openssl req -new -newkey rsa:2048 \
#       -sha256 -days 365 -nodes \
#       -extensions v3_ca  -x509 \
#       -keyout /etc/squid/ssl.pem \
#       -out /etc/squid/ssl.pem

# tell Squid what tool to validate user provided credentials
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squidusers

# http/https proxy port
http_port 3128 ssl-bump cert=/etc/squid/ssl.pem \
    generate-host-certificates=on \
    dynamic_cert_mem_cache_size=4MB

# auth rule
acl onzelist proxy_auth REQUIRED
http_access allow onzelist

# deny https so it falls back to the auth rule
acl SSL_ports port 443
acl SSL_ports port 832
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports

coredump_dir /var/spool/squid
cache_dir ufs /var/spool/squid 2048 16 256
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid/ssl_db -M 4MB
sslcrtd_children 5

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
	# #### pre-requisites ####
	# I use the following Dockerfile for Squid:
	# https://hub.docker.com/r/jamesyale/squid-sslbump/ to deploy the proxy
	# Replace the existing /etc/squid/squid.ssl.conf with this file
	# Create the users credentials with htpasswd (yum install httpd-tools)
	# htpasswd [-c] /etc/squid/squidusers username
	# -с is to create a new file, not to change the existing file
	# Use the following command to test the user/pass:
	# /usr/lib64/squid3/basic_ncsa_auth /etc/squid/squidusers
	# provide <user> <password> at the prompt, for example:
	# paraita wrong_password
	# ERR Wrong password
	# paraita good_password
	# OK
	# Ctrl-D
	# Make sure squid can read the credentials file:
	# chmod o+r /etc/squid/squidusers
	# Make sure the following folder exist and is readable
	# by everyone:
	# /var/spool/squid/ssl_db
	# Generate the certificate:
	# openssl req -new -newkey rsa:2048 \
	# -sha256 -days 365 -nodes \
	# -extensions v3_ca -x509 \
	# -keyout /etc/squid/ssl.pem \
	# -out /etc/squid/ssl.pem

	# tell Squid what tool to validate user provided credentials
	auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squidusers

	# http/https proxy port
	http_port 3128 ssl-bump cert=/etc/squid/ssl.pem \
	generate-host-certificates=on \
	dynamic_cert_mem_cache_size=4MB

	# auth rule
	acl onzelist proxy_auth REQUIRED
	http_access allow onzelist

	# deny https so it falls back to the auth rule
	acl SSL_ports port 443
	acl SSL_ports port 832
	acl CONNECT method CONNECT
	http_access deny CONNECT !SSL_ports

	coredump_dir /var/spool/squid
	cache_dir ufs /var/spool/squid 2048 16 256
	sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid/ssl_db -M 4MB
	sslcrtd_children 5

	acl step1 at_step SslBump1
	ssl_bump peek step1
	ssl_bump bump all