Encrypted browser-Squid connection
-
Hi
Do you know if the communication between Squid Proxy server and browser is encrypted?
Can anyone to sniff the Proxy authentication passwords?
Thanks
-
Here is a good starting point for you: https://wiki.squid-cache.org/Features/HTTPS#Encrypted_browser-Squid_connection
-
Thanks!, very useful. I have activated the option "https_port 192.168.0.1:3129" in Squid configuration but I get this error:
/pkg_edit.php: The command '/usr/local/sbin/squid -k reconfigure -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'FATAL: No valid signing SSL certificate configured for HTTPS_port 192.168.0.1:3129 Squid Cache (Version 3.5.27): Terminated abnormally.
How Can I configure a certificate? GUI show a option for select a certificate but is for "SSL Man In the Middle Filtering", I don't use that.
My PFsense WebConfigurator have a Let's Encrypt certificate, I hope to use the same certificate.
-
I found the solution.
First I downloaded and modified this script for export the Let's Encrypt certificate from config.xml file:
#!/bin/sh set -eu XMLLINT=/usr/local/bin/xmllint BASE64_DECODE='/usr/local/bin/python2 -m base64 -d' OPENSSL="/usr/bin/openssl" KEYTOOL="/usr/local/bin/keytool" PFSENSE_CONF=/cf/conf/config.xml extract_private_key() { local RAW XPATH XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/prv/text()" RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`" printf "%s\n" "`echo "$RAW" | $BASE64_DECODE`" } extract_certificate() { local RAW XPATH XPATH="/pfsense/cert[descr[normalize-space(.) = '$1']]/crt/text()" RAW="`"$XMLLINT" --xpath "$XPATH" "$PFSENSE_CONF"`" printf "%s\n" "`echo "$RAW" | $BASE64_DECODE`" } combine_pem() { local PRIVATE_KEY CERTIFICATE PRIVATE_KEY="`extract_private_key "$1"`" CERTIFICATE="`extract_certificate "$1"`" printf '%s\n%s\n' "$PRIVATE_KEY" "$CERTIFICATE" } main() { local KEYSTORE PFSENSE_CERT_NAME if [ "$#" -ne 1 ]; then printf "Not enough arguments.\nUsage:\n\t%s\n" \ "$0 certificate_name" exit 1 fi PFSENSE_CERT_NAME="$1" echo "Extracting cert+key form pfSense" combine_pem "$PFSENSE_CERT_NAME" } main $@
After, I added the script as Cron Job:
30 3 * * * root /root/pemExtract pfsense.mycompany.com > /usr/local/etc/squid/cert.pem
Finally, I added this params to Squid Advanced options:
https_port 192.168.0.1:3129 cert=/usr/local/etc/squid/cert.pem
Firefox y Chrome working perfect, but Internet Explorer is not compatible with secure Proxy. I modified my proxy wpad.dat file for to detect IE:
function FindProxyForURL(url, host) { var httpProxy = "PROXY pfsense.mycompany.com:3128"; var httpsProxy = "HTTPS pfsense.mycompany.com:3129"; // Internet Explorer 6-11 var isIE = /*@cc_on!@*/false || !!document.documentMode; // Edge 20+ var isEdge = !isIE && !!window.StyleMedia; if ( url.substring(0,7) == "chrome:" || url.substring(0,6) == "about:" || shExpMatch(host, "localhost") || isInNet(host, "192.168.0.0", "255.255.255.0") || isInNet(host, "127.0.0.0", "255.0.0.0") || shExpMatch(host, "192.168.0.*") || shExpMatch(host, "127.*") || isPlainHostName(host) ) { return "DIRECT"; } if ( url.substring(0, 5) == "http:" || url.substring(0, 6) == "https:" || url.substring(0, 4) == "ftp:" ) { if (isIE || isEdge){ return httpProxy; } return httpsProxy; } return httpsProxy; }
Now, the proxy is safe to use over Internet, but I opened only 3129 port in WAN. This mean IE only working in local network, but I don't care, almost nobody use that browser.
-
@evilside said in Encrypted browser-Squid connection:
but I don't care, almost nobody use that browser.