SlideShare ist ein Scribd-Unternehmen logo

Aeon mike guide transparent ssl filtering

C
Conrad Cruz
1 von 4
Downloaden Sie, um offline zu lesen
AEONMike Guide – SQUID 3.3 SSLBUMP under Debian #Michael Cabalin http://www.PH-LWUG.org Pinoy Linux : http://www.facebook.com/groups/117595725078450/ #Install Debian OS #apt-get install build-essential gcc make #wget https://launchpad.net/squid/3.3/3.3.0.3/+download/squid-3.3.0.3.tar.gz #tar xvf squid-3.3.0.3.tar.gz #cd squid-3.3.0.3 ./configure –enable-icap-client –enable-ssl make make install Generate Self Sign • self-signed certificate (pem format) generation : openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout your.company.com.pem -out your.company.com • if needed, you can generate the certificate to import on browsers (to avoid the warnings about the security breach) : openssl x509 -in www.yourcompany.com.pem -outform DER -out www.yourcompany.com.der Onto the actual SQUID configuration. Edit the /etc/squid.conf file to show the following: always_direct allow all ssl_bump allow all http_port 192.9.200.32:3128 transparent
#the below should be placed on a single line https_port 192.9.200.32:3129 transparent ssl-bump cert=/etc/squid/ssl_cert/ your.company.com.pem key=/etc/squid/ssl_cert/private/your.company.com.pem Note you may need to change the “cert=” and the “key=” to point to the correct file in your environment. Also of course you will need to change the IP address The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: http://www.squid-cache.org/Doc/config/always_direct/ The second directive (ssl_bump) instructs the proxy to allow all SSL connections, but this can be modified to restirct access. You can also use the “sslproxy_cert_error” to deny access to sites with invalid certificates. More details on this here: http://wiki.squid-cache.org/Features/SslBump Start squid and check for any errors. If no errors are reported, run: netstat -nap | grep 3129 to make sure the proxy is up and running. Next, configure iptables to perform destination NAT, basically to redirect the traffic to the proxy: iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 192.9.200.32:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination 192.9.200.32:3129 Last thing to be done was to either place the proxy physically in line with the traffic or to redirect the traffic to the proxy using a router. Keep in mind that the proxy will change the source IP address of the requests to it’s own IP. In other words, by default it does not reflect the client IP. That was it in my case. I did try to implement something similar to the above but using explicit mode. This was my squid.conf file, note only one port is needed for both HTTP and HTTPS since HTTPS is tunneled over HTTP using the CONNECT method:
always_direct allow all ssl_bump allow all #the below should be placed on a single line http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem SSL Filtering example SQUID.Conf • Squid configuration (squid.conf) : I post here only important parts. acl … acl … # you must have CONNECT acl acl CONNECT method CONNECT acl metrobank dstdomain www.metrobank.com.ph acl securitybank dstdomain www.securitybank.com.ph # maybe not in the future, but we need this : always_direct allow all # permissions sections (allow / deny) http_access allow… http_access allow…
http_access allow… http_access deny … http_access deny … http_access deny … # some sites need this : sslproxy_cert_error allow metrobank #sslproxy_flags DONT_VERIFY_PEER # ssl_bump means that you want to intercept (MITM) this SSL connection ssl_bump allow metrobank ssl_bump allow securitybank # and we don’t want to intercept others SSL sites : ssl_bump deny all # now, you can tell Squid you want to forbid theses HTTPS url : … http_access allow localnet http_access allow localhost http_access deny all # tell Squid you want to intercept SSL # /! SSL interception is not compatible with transparent proxy # so DON’T write here ‘intercept’ (new name for ‘transparent’) http_port 3128 ssl-bump cert=/path/to/your/self- signed/cert/www.yourcompany.com.pem

Empfohlen

How to install and configure LEMP stack
How to install and configure LEMP stackHow to install and configure LEMP stack
How to install and configure LEMP stackRootGate
 
Forget MAMP and WAMP, Use Virtual Box to Have a Real Ubuntu Server
Forget MAMP and WAMP, Use Virtual Box to Have a Real Ubuntu ServerForget MAMP and WAMP, Use Virtual Box to Have a Real Ubuntu Server
Forget MAMP and WAMP, Use Virtual Box to Have a Real Ubuntu Serveraaroncouch
 
How To Deploy A Cloud Based Webserver in 5 minutes - LAMP
How To Deploy A Cloud Based Webserver in 5 minutes - LAMPHow To Deploy A Cloud Based Webserver in 5 minutes - LAMP
How To Deploy A Cloud Based Webserver in 5 minutes - LAMPMatt Dunlap
 
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...LumoSpark
 
Squidinstallation
SquidinstallationSquidinstallation
SquidinstallationChirag Gupta
 
Simple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleSimple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleJordi Soucheiron
 
體驗 Hhvm
體驗 Hhvm體驗 Hhvm
體驗 HhvmChen Cheng-Wei
 
nginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottlenginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottleJordi Soucheiron
 

Empfohlen

How to install and configure LEMP stack
How to install and configure LEMP stackHow to install and configure LEMP stack
How to install and configure LEMP stackRootGate
 
Forget MAMP and WAMP, Use Virtual Box to Have a Real Ubuntu Server
Forget MAMP and WAMP, Use Virtual Box to Have a Real Ubuntu ServerForget MAMP and WAMP, Use Virtual Box to Have a Real Ubuntu Server
Forget MAMP and WAMP, Use Virtual Box to Have a Real Ubuntu Serveraaroncouch
 
How To Deploy A Cloud Based Webserver in 5 minutes - LAMP
How To Deploy A Cloud Based Webserver in 5 minutes - LAMPHow To Deploy A Cloud Based Webserver in 5 minutes - LAMP
How To Deploy A Cloud Based Webserver in 5 minutes - LAMPMatt Dunlap
 
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...
How to turn any dynamic website into a static site | 24.01.2018 | Artem Danil...LumoSpark
 
Squidinstallation
SquidinstallationSquidinstallation
SquidinstallationChirag Gupta
 
Simple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleSimple webapps with nginx, uwsgi emperor and bottle
Simple webapps with nginx, uwsgi emperor and bottleJordi Soucheiron
 
體驗 Hhvm
體驗 Hhvm體驗 Hhvm
體驗 HhvmChen Cheng-Wei
 
nginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottlenginx + uwsgi emperor + bottle
nginx + uwsgi emperor + bottleJordi Soucheiron
 
grate techniques
grate techniquesgrate techniques
grate techniquesjunaid novapex
 
Step by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail serverStep by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail serverIntegrated Circuit Design Research & Education Center (ICDREC)
 
Squid Server
Squid ServerSquid Server
Squid ServerSumant Garg
 
Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Yury Pliashkou
 
High Performance Web Sites
High Performance Web SitesHigh Performance Web Sites
High Performance Web SitesRavi Raj
 
How to contribute Apache CloudStack
How to contribute Apache CloudStackHow to contribute Apache CloudStack
How to contribute Apache CloudStackGo Chiba
 
Squid server
Squid serverSquid server
Squid serverRohit Phulsunge
 
Installation of LAMP Server with Ubuntu 14.10 Server Edition
Installation of LAMP Server with Ubuntu 14.10 Server EditionInstallation of LAMP Server with Ubuntu 14.10 Server Edition
Installation of LAMP Server with Ubuntu 14.10 Server EditionSammy Fung
 
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)Simon Boulet
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guidejasembo
 
Compcon 2016 Workshop
Compcon 2016 WorkshopCompcon 2016 Workshop
Compcon 2016 WorkshopSteven Cooper
 
Ansible intro
Ansible introAnsible intro
Ansible introHsi-Kai Wang
 
Config websocket on apache
Config websocket on apacheConfig websocket on apache
Config websocket on apachebaran19901990
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server13bcs0012
 
Deploying nginx with minimal system resources
Deploying nginx with minimal system resourcesDeploying nginx with minimal system resources
Deploying nginx with minimal system resourcesMax Ukhanov
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsyncHazel Smith
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingOtto Kekäläinen
 
WordPress Security - A Top Down Approach
WordPress Security - A Top Down ApproachWordPress Security - A Top Down Approach
WordPress Security - A Top Down ApproachBrecht Ryckaert
 
Your own minecraft server on a linode vps
Your own minecraft server on a linode vpsYour own minecraft server on a linode vps
Your own minecraft server on a linode vpsCleo Morisson
 
Linux for programmers
Linux for programmersLinux for programmers
Linux for programmersMd. Al Amin
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 

Weitere ähnliche Inhalte

Was ist angesagt?

Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Yury Pliashkou
 
High Performance Web Sites
High Performance Web SitesHigh Performance Web Sites
High Performance Web SitesRavi Raj
 
How to contribute Apache CloudStack
How to contribute Apache CloudStackHow to contribute Apache CloudStack
How to contribute Apache CloudStackGo Chiba
 
Installation of LAMP Server with Ubuntu 14.10 Server Edition
Installation of LAMP Server with Ubuntu 14.10 Server EditionInstallation of LAMP Server with Ubuntu 14.10 Server Edition
Installation of LAMP Server with Ubuntu 14.10 Server EditionSammy Fung
 
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)Simon Boulet
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guidejasembo
 
Compcon 2016 Workshop
Compcon 2016 WorkshopCompcon 2016 Workshop
Compcon 2016 WorkshopSteven Cooper
 
Config websocket on apache
Config websocket on apacheConfig websocket on apache
Config websocket on apachebaran19901990
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server13bcs0012
 
Deploying nginx with minimal system resources
Deploying nginx with minimal system resourcesDeploying nginx with minimal system resources
Deploying nginx with minimal system resourcesMax Ukhanov
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsyncHazel Smith
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingOtto Kekäläinen
 
WordPress Security - A Top Down Approach
WordPress Security - A Top Down ApproachWordPress Security - A Top Down Approach
WordPress Security - A Top Down ApproachBrecht Ryckaert
 
Your own minecraft server on a linode vps
Your own minecraft server on a linode vpsYour own minecraft server on a linode vps
Your own minecraft server on a linode vpsCleo Morisson
 
Linux for programmers
Linux for programmersLinux for programmers
Linux for programmersMd. Al Amin
 

Was ist angesagt? (20)

grate techniques
grate techniquesgrate techniques
grate techniques
 
Step by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail serverStep by-step installation of a secure linux web dns- and mail server
Step by-step installation of a secure linux web dns- and mail server
 
Squid Server
Squid ServerSquid Server
Squid Server
 
Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11Capifony. Minsk PHP MeetUp #11
Capifony. Minsk PHP MeetUp #11
 
High Performance Web Sites
High Performance Web SitesHigh Performance Web Sites
High Performance Web Sites
 
How to contribute Apache CloudStack
How to contribute Apache CloudStackHow to contribute Apache CloudStack
How to contribute Apache CloudStack
 
Squid server
Squid serverSquid server
Squid server
 
Installation of LAMP Server with Ubuntu 14.10 Server Edition
Installation of LAMP Server with Ubuntu 14.10 Server EditionInstallation of LAMP Server with Ubuntu 14.10 Server Edition
Installation of LAMP Server with Ubuntu 14.10 Server Edition
 
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)
Deploying with Super Cow Powers (Hosting your own APT repository with reprepro)
 
Squid proxy-configuration-guide
Squid proxy-configuration-guideSquid proxy-configuration-guide
Squid proxy-configuration-guide
 
Compcon 2016 Workshop
Compcon 2016 WorkshopCompcon 2016 Workshop
Compcon 2016 Workshop
 
Ansible intro
Ansible introAnsible intro
Ansible intro
 
Config websocket on apache
Config websocket on apacheConfig websocket on apache
Config websocket on apache
 
Squid Proxy Server
Squid Proxy ServerSquid Proxy Server
Squid Proxy Server
 
Deploying nginx with minimal system resources
Deploying nginx with minimal system resourcesDeploying nginx with minimal system resources
Deploying nginx with minimal system resources
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsync
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP Profiling
 
WordPress Security - A Top Down Approach
WordPress Security - A Top Down ApproachWordPress Security - A Top Down Approach
WordPress Security - A Top Down Approach
 
Your own minecraft server on a linode vps
Your own minecraft server on a linode vpsYour own minecraft server on a linode vps
Your own minecraft server on a linode vps
 
Linux for programmers
Linux for programmersLinux for programmers
Linux for programmers
 

Ähnlich wie Aeon mike guide transparent ssl filtering

Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registryVipin Mandale
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90minsLarry Cai
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oProxiesforrent
 
Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
 
Building a Gateway Server
Building a Gateway ServerBuilding a Gateway Server
Building a Gateway ServerDashamir Hoxha
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierCarlos Sanchez
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Ben Hall
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7VCP Muthukrishna
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)Marcel Cattaneo
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesSreenivas Makam
 
NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!Jeff Anderson
 
Securing Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultSecuring Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultBram Vogelaar
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for ComplianceDataStax
 

Ähnlich wie Aeon mike guide transparent ssl filtering (20)

Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Jfrog artifactory as private docker registry
Jfrog artifactory as private docker registryJfrog artifactory as private docker registry
Jfrog artifactory as private docker registry
 
Learn nginx in 90mins
Learn nginx in 90minsLearn nginx in 90mins
Learn nginx in 90mins
 
Server hardening
Server hardeningServer hardening
Server hardening
 
How to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos oHow to install squid proxy on server or how to install squid proxy on centos o
How to install squid proxy on server or how to install squid proxy on centos o
 
Making the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocolMaking the secure communication between Server and Client with https protocol
Making the secure communication between Server and Client with https protocol
 
One-Man Ops
One-Man OpsOne-Man Ops
One-Man Ops
 
Building a Gateway Server
Building a Gateway ServerBuilding a Gateway Server
Building a Gateway Server
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
 
Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)Running Docker in Development & Production (#ndcoslo 2015)
Running Docker in Development & Production (#ndcoslo 2015)
 
How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7How To Install and Configure Apache SSL on CentOS 7
How To Install and Configure Apache SSL on CentOS 7
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)
 
Locking Down CF Servers
Locking Down CF ServersLocking Down CF Servers
Locking Down CF Servers
 
Docker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting TechniquesDocker Networking - Common Issues and Troubleshooting Techniques
Docker Networking - Common Issues and Troubleshooting Techniques
 
NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!NGINX Can Do That? Test Drive Your Config File!
NGINX Can Do That? Test Drive Your Config File!
 
Securing Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp VaultSecuring Prometheus exporters using HashiCorp Vault
Securing Prometheus exporters using HashiCorp Vault
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Hardening cassandra q2_2016
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016
 
Securing Cassandra for Compliance
Securing Cassandra for ComplianceSecuring Cassandra for Compliance
Securing Cassandra for Compliance
 

Mehr von Conrad Cruz

Vsphere esxi-vcenter-server-50-storage-guide
Vsphere esxi-vcenter-server-50-storage-guideVsphere esxi-vcenter-server-50-storage-guide
Vsphere esxi-vcenter-server-50-storage-guideConrad Cruz
 
Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Conrad Cruz
 
Configuration steps for the cisco 300 series switches v3
Configuration steps for the cisco 300 series switches v3Configuration steps for the cisco 300 series switches v3
Configuration steps for the cisco 300 series switches v3Conrad Cruz
 
Cisco sg300 vlan setup w..
Cisco sg300 vlan setup w..Cisco sg300 vlan setup w..
Cisco sg300 vlan setup w..Conrad Cruz
 
Aeonmike pf clustering doc guide
Aeonmike pf clustering doc guideAeonmike pf clustering doc guide
Aeonmike pf clustering doc guideConrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 

Mehr von Conrad Cruz (6)

Vsphere esxi-vcenter-server-50-storage-guide
Vsphere esxi-vcenter-server-50-storage-guideVsphere esxi-vcenter-server-50-storage-guide
Vsphere esxi-vcenter-server-50-storage-guide
 
Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623Des 3800 howto-en_guest-vlan_20060623
Des 3800 howto-en_guest-vlan_20060623
 
Configuration steps for the cisco 300 series switches v3
Configuration steps for the cisco 300 series switches v3Configuration steps for the cisco 300 series switches v3
Configuration steps for the cisco 300 series switches v3
 
Cisco sg300 vlan setup w..
Cisco sg300 vlan setup w..Cisco sg300 vlan setup w..
Cisco sg300 vlan setup w..
 
Aeonmike pf clustering doc guide
Aeonmike pf clustering doc guideAeonmike pf clustering doc guide
Aeonmike pf clustering doc guide
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 

Aeon mike guide transparent ssl filtering

  • 1. AEONMike Guide – SQUID 3.3 SSLBUMP under Debian #Michael Cabalin http://www.PH-LWUG.org Pinoy Linux : http://www.facebook.com/groups/117595725078450/ #Install Debian OS #apt-get install build-essential gcc make #wget https://launchpad.net/squid/3.3/3.3.0.3/+download/squid-3.3.0.3.tar.gz #tar xvf squid-3.3.0.3.tar.gz #cd squid-3.3.0.3 ./configure –enable-icap-client –enable-ssl make make install Generate Self Sign • self-signed certificate (pem format) generation : openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout your.company.com.pem -out your.company.com • if needed, you can generate the certificate to import on browsers (to avoid the warnings about the security breach) : openssl x509 -in www.yourcompany.com.pem -outform DER -out www.yourcompany.com.der Onto the actual SQUID configuration. Edit the /etc/squid.conf file to show the following: always_direct allow all ssl_bump allow all http_port 192.9.200.32:3128 transparent
  • 2. #the below should be placed on a single line https_port 192.9.200.32:3129 transparent ssl-bump cert=/etc/squid/ssl_cert/ your.company.com.pem key=/etc/squid/ssl_cert/private/your.company.com.pem Note you may need to change the “cert=” and the “key=” to point to the correct file in your environment. Also of course you will need to change the IP address The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: The first directive (always_direct) is due to SslBump. By default ssl_bump is set to accelerator mode. In debug logs cache.log you’d see “failed to select source for”. In accelerator mode, the proxy does not know which backend server to use to retrieve the file from, so this directive instructs the proxy to ignore the accelerator mode. More details on this here: http://www.squid-cache.org/Doc/config/always_direct/ The second directive (ssl_bump) instructs the proxy to allow all SSL connections, but this can be modified to restirct access. You can also use the “sslproxy_cert_error” to deny access to sites with invalid certificates. More details on this here: http://wiki.squid-cache.org/Features/SslBump Start squid and check for any errors. If no errors are reported, run: netstat -nap | grep 3129 to make sure the proxy is up and running. Next, configure iptables to perform destination NAT, basically to redirect the traffic to the proxy: iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 192.9.200.32:3128 iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 443 -j DNAT –to-destination 192.9.200.32:3129 Last thing to be done was to either place the proxy physically in line with the traffic or to redirect the traffic to the proxy using a router. Keep in mind that the proxy will change the source IP address of the requests to it’s own IP. In other words, by default it does not reflect the client IP. That was it in my case. I did try to implement something similar to the above but using explicit mode. This was my squid.conf file, note only one port is needed for both HTTP and HTTPS since HTTPS is tunneled over HTTP using the CONNECT method:
  • 3. always_direct allow all ssl_bump allow all #the below should be placed on a single line http_port 8080 ssl-bump cert=/etc/squid/ssl_cert/proxy.testdomain.deCert.pem key=/etc/squid/ssl_cert/private/proxy.testdomain.deKey_without_Pp.pem SSL Filtering example SQUID.Conf • Squid configuration (squid.conf) : I post here only important parts. acl … acl … # you must have CONNECT acl acl CONNECT method CONNECT acl metrobank dstdomain www.metrobank.com.ph acl securitybank dstdomain www.securitybank.com.ph # maybe not in the future, but we need this : always_direct allow all # permissions sections (allow / deny) http_access allow… http_access allow…
  • 4. http_access allow… http_access deny … http_access deny … http_access deny … # some sites need this : sslproxy_cert_error allow metrobank #sslproxy_flags DONT_VERIFY_PEER # ssl_bump means that you want to intercept (MITM) this SSL connection ssl_bump allow metrobank ssl_bump allow securitybank # and we don’t want to intercept others SSL sites : ssl_bump deny all # now, you can tell Squid you want to forbid theses HTTPS url : … http_access allow localnet http_access allow localhost http_access deny all # tell Squid you want to intercept SSL # /! SSL interception is not compatible with transparent proxy # so DON’T write here ‘intercept’ (new name for ‘transparent’) http_port 3128 ssl-bump cert=/path/to/your/self- signed/cert/www.yourcompany.com.pem