Encrypted browser-Squid connection



  • Hi

    Do you know if the communication between Squid Proxy server and browser is encrypted?

    Can anyone to sniff the Proxy authentication passwords?

    Thanks





  • Thanks!, very useful. I have activated the option "https_port 192.168.0.1:3129" in Squid configuration but I get this error:

    /pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'FATAL: No valid signing SSL certificate configured for HTTPS_port 192.168.0.1:3129 Squid Cache (Version 3.5.27): Terminated abnormally.

    How Can I configure a certificate? GUI show a option for select a certificate but is for "SSL Man In the Middle Filtering", I don't use that.

    My PFsense WebConfigurator have a Let's Encrypt certificate, I hope to use the same certificate.



  • I found the solution.

    First I downloaded and modified this script for export the Let's Encrypt certificate from config.xml file:

    #!/bin/sh
    set -eu
    XMLLINT=/usr/local/bin/xmllint
    BASE64_DECODE='/usr/local/bin/python2 -m base64 -d'
    OPENSSL="/usr/bin/openssl"
    KEYTOOL="/usr/local/bin/keytool"
    PFSENSE_CONF=/cf/conf/config.xml
    extract_private_key() {
            local RAW XPATH
            XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/prv/text()"
            RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`"
            printf "%s\n" "`echo "$RAW" | $BASE64_DECODE`"
    }
    extract_certificate() {
            local RAW XPATH
            XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/crt/text()"
            RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`"
            printf "%s\n" "`echo "$RAW" | $BASE64_DECODE`"
    }
    combine_pem() {
            local PRIVATE_KEY CERTIFICATE
            PRIVATE_KEY="`extract_private_key "$1"`"
            CERTIFICATE="`extract_certificate "$1"`"
            printf '%s\n%s\n' "$PRIVATE_KEY" "$CERTIFICATE"
    }
    main() {
            local KEYSTORE PFSENSE_CERT_NAME
            if [ "$#" -ne 1 ]; then
                    printf "Not enough arguments.\nUsage:\n\t%s\n" \
                            "$0 certificate_name"
                    exit 1
            fi
            PFSENSE_CERT_NAME="$1"
    
            echo "Extracting cert+key form pfSense"
            combine_pem "$PFSENSE_CERT_NAME"
    }
    main $@
    

    After, I added the script as Cron Job:

    30 	3 	* 	* 	* 	root 	/root/pemExtract pfsense.mycompany.com > /usr/local/etc/squid/cert.pem
    

    Finally, I added this params to Squid Advanced options:

    https_port 192.168.0.1:3129 cert=/usr/local/etc/squid/cert.pem
    

    Firefox y Chrome working perfect, but Internet Explorer is not compatible with secure Proxy. I modified my proxy wpad.dat file for to detect IE:

    function FindProxyForURL(url, host)
    {
            var httpProxy = "PROXY pfsense.mycompany.com:3128";
            var httpsProxy = "HTTPS pfsense.mycompany.com:3129";
            // Internet Explorer 6-11
            var isIE = /*@cc_on!@*/false || !!document.documentMode;
            // Edge 20+
            var isEdge = !isIE && !!window.StyleMedia; 
            if (
    	    url.substring(0,7)  == "chrome:"
    	    ||  url.substring(0,6)  == "about:"
                ||  shExpMatch(host, "localhost")
                ||  isInNet(host, "192.168.0.0",  "255.255.255.0")
                ||  isInNet(host, "127.0.0.0", "255.0.0.0")
                ||  shExpMatch(host, "192.168.0.*")
                ||  shExpMatch(host, "127.*")
                ||  isPlainHostName(host)
            ) {
                return "DIRECT"; 
              }
            if (
                url.substring(0, 5) == "http:"
            ||  url.substring(0, 6) == "https:"
            ||  url.substring(0, 4) == "ftp:"
            ) {
                if (isIE || isEdge){
                  return httpProxy;
                }
                return httpsProxy;
              }
             return httpsProxy;
    }
    

    Now, the proxy is safe to use over Internet, but I opened only 3129 port in WAN. This mean IE only working in local network, but I don't care, almost nobody use that browser.


  • Netgate Administrator

    @evilside said in Encrypted browser-Squid connection:

    but I don't care, almost nobody use that browser.

    😆