Langkah pertama install paket-paket yang diperlukan untuk membangun squid proxy dengan ssl-bump enable (perhatikan sudo dan yang tanpa sudo)..
apt-get source squid3 sudo apt-get build-dep squid3 sudo apt-get build-dep openssl sudo apt-get build-dep openssh sudo apt-get install devscripts build-essential fakeroot
Check apakah user proxy dan group proxy sdh ada di system
grep “proxy” /etc/passwd jika tdk ada output sama sekali lanjutkan baris dibawah jika ada otput lanjut “Langkah kedua”
adduser --system --home /var/spool/squid3 --group proxy chsh -s /bin/sh proxy
Langkah kedua download source squid dan lakukan kompilasi untuk membangun squid binary
wget http://www.squid-cache.org/Versions/v3/3.4/squid-3.4.4.tar.bz2 tar xjfv squid-3.4.4.tar.bz2 cd squid-3.4.4 ./configure --datadir=/usr/share/squid3 \ --sysconfdir=/etc/squid3 \ --mandir=/usr/share/man \ --with-cppunit-basedir=/usr \ --enable-inline \ --enable-async-io=8 \ --enable-storeio="ufs,aufs,diskd" \ --enable-removal-policies="lru,heap" \ --enable-delay-pools \ --enable-cache-digests \ --enable-underscores
--enable-icap-client \ --enable-follow-x-forwarded-for \ --enable-auth \ --enable-basic-authhelpers="LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,DB,POP3,getpwnam,squid_radius_auth,multi-domainNTLM" \ --enable-arp-acl \ --enable-esi \ --enable-zph-qos \ --enable-wccpv2 \ --enable-ssl \ --enable-ssl-crtd \ --disable-translation \ --with-logdir=/var/log/squid3 \ --with-pidfile=/var/run/squid3.pid \ --with-filedescriptors=65536 \ --with-large-files \ --with-default-user=proxy
make all sudo make install sudo cp src/squid /usr/sbin/squid3 sudo mkdir -p /usr/libexec/ sudo cp src/ssl/ssl_crtd /usr/libexec/ssl_crtd sudo mkdir -p /var/cache/squid3 sudo chown -R proxy. /var/cache/squid3
Buat directory untuk caching auto-generate sertifikat
sudo /usr/libexec/ssl_crtd -c -s /var/lib/ssl_db
sudo chown -R proxy. /var/lib/ssl_db
Update debian sys-V init untuk mngaktifkan squid3 saat booting
cd ../squid3-3.1.20 sudo cp debian/squid3.rc /etc/init.d/squid3 sudo update-rc.d squid3 defaults 30
Squid Minimal konfigurasi
sudo nano /etc/squid3/squid.conf
## squid 3.3.x konfigurasi start ## # # Recommended minimum configuration: #
# Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl lan-net src 192.168.1.0/24 acl SSL_ports port 443 # https acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # # Recommended minimum Access Permission configuration: # # Deny requests to certain unsafe ports http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost http_access allow lan-net
## ssl-bump## always_direct allow all ssl_bump client-first all
#disable cert mimicking
#ssl_bump server-first all #enable cert mimicking sslproxy_cert_error allow all # Or may be deny all according to your company policy # sslproxy_cert_error deny all sslproxy_flags DONT_VERIFY_PEER sslcrtd_program /usr/libexec/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 5
# And finally deny all other access to this proxy http_access deny all
# Squid normally listens to port 3128 http_port 0.0.0.0:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB key=/etc/squid3/certs/squid.key cert=/etc/squid3/certs/squid.pem
# Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/cache/squid 100 16 256
# Leave coredumps in the first cache dir coredump_dir /var/cache/squid # # Add any of your own refresh_pattern entries above these. # refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 ## squid konfigurasi end ##
Langkah ketiga membuat fake SSL sertifikat untuk squid proxy server
copy paste script dibawah ini ke dalam script file Certificate_creator.sh mkdir /tmp/demoCA
## bash create cerificate start ##
OPENSSL=/usr/bin/openssl SSLDIR=/tmp/demoCA mkdir -p $SSLDIR || exit 1 rm -rf $SSLDIR/* [ -e $SSLDIR/squid.key ] || $OPENSSL genrsa 4096 > $SSLDIR/squid.key [ -e $SSLDIR/squid.pem ] || (echo -e "ID\nJakarta\nJakarta-Pusat\nMyCA\nIT\n*\
[email protected]\n" | $OPENSSL req -new -x509 -days 3650 -key $SSLDIR/squid.key -out $SSLDIR/squid.pem) [ -e $SSLDIR/user.der ] || $OPENSSL x509 -in $SSLDIR/squid.pem -outform DER -out $SSLDIR/client.der ## bash create cerificate end ##
Jalankan script “ ./Certificate_creator.sh” sebelumnya di “chmod +x Certificate_creator.sh” terlebih dahulu
Hasil dari scripts Certificate_creator.sh akan menghasilkan 3 buah files yaitu squid.key, squid.pem dan client.der didalam directory /tmp/demoCA
sudo mkdir /etc/squid3/certs cd /tmp/demoCA sudo cp squid.key squid.pem /etc/squid3/certs
Langkah keempat Settingan proxy browser di client agar menggunakan ip address dan port 3128 proxy kemudian import CA (Certificate Authority) yaitu file client.der kedalam browser Trusted CA lihat gambar dan urutan nomor.
Testing dengan menjalankan browser ke website yang berawalan https dan pantau squid access.log di /var/log/squid3 jika traffic browsing https terlihat di log, miss, hit, get, post maka itu artinya https intersep sudah berhasil. Selamat mencoba dan mohon koreksi jika ada yang salah dalam tulisan ini biar nanti segera di revisi. salam
