05 Juni 2015

Transparent Proxy Squid SSL/HTTPS Support

Setelah mentok gara² certificate error akhirnya bisa sukses juga menggunakan transparent proxy untuk protocol HTTPS. Saya coba jelaskan secara garis besar dan singkat yah :-).

1. Update koleksi ports di FreeBSD untuk mendapatkan versi terbaru dan terupdate:
# portsnap fetch
# portsnap extract
# portsnap update
atau via SVN
# svn checkout svn://svn.freebsd.org/ports/head /usr/ports
2. Install squid seri versi 3.x yang sudah medukung SSLBump:
# cd /usr/ports/www/squid
# make menu
Pastikan opsi untuk SSL dan ssl_crtd support dicentang!
# make install clean
3. Konfigurasi post-install untuk direktori, permission etc:
# mkdir /usr/local/squid/ssl_db (Untuk penyimpanan cert-cache)
# chown -R squid:squid /usr/local/squid/ssl_db
# mkdir /usr/local/etc/squid/certs (Untuk penyimpanan cert self-signing)
# chown -R squid:squid /usr/local/etc/squid/certs
4. Pembuatan ceritificate self-signing yang akan digunakan oleh squid:
# cd /usr/local/etc/squid/certs
# openssl req -new -newkey rsa:1024 -days 1365 -nodes -x509 -keyout squid.pem -out squid.pem
# openssl x509 -in squid.pem -outform DER -out squid.der (DER Format)
# openssl x509 -in squid.pem -outform DER -out squid.crt (CRT Format)
5. Konfigurasi squid.conf:
# grep ssl /usr/local/etc/squid/squid.conf        
https_port yyy.yyy.yyy.yyy:xxxx transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/certs/squid.pem 
ssl_bump splice localhost        
ssl_bump server-first all        
ssl_bump bump all        
sslproxy_cert_error deny all        
sslproxy_flags DONT_VERIFY_PEER        
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /usr/local/squid/ssl_db -M 4MB    
sslcrtd_children 32 startup=5 idle=1     

# /usr/local/libexec/squid/ssl_crtd -c -s /usr/local/etc/squid/certs/ssl_db  (Initialized SSLdb)     
# /usr/local/etc/rc.d/squid start
6. Redirect semua traffic port HTTP/HTTPS ke port squid:
# vim /etc/rc.firewall
${fwcmd} add 10 fwd ${ipproxy},${porthttpsproxy} tcp from ${ipclient} to any dst-port ${porthttps} in via ${ifint0}
ipproxy="ip_proxy_server"
porthttpsproxy="port_squid_for_https"   // See squid.conf.manual for detail
ipclient="ip_client"                    // For example: 192.168.0.0/24
porthttps="443"                         // HTTPS port default
ifint0="LAN_eth"                        // Ethernet connected to LAN directly
Atau jika menggunakan packet filter OpenBSD:
# vim /etc/pf.conf
rdr pass on $ifint0 proto tcp from $ipclient to any port 443 -> $ipproxy port $porthttpsproxy
7. Import sertifikat squid.der (Windows aja) atau squid.crt (untuk format Android/Windows):
C:\> certmgr.msc (Simpan di bagian CA certificate, klik2 aja deh sendiri...)
8. DONE!

Tidak ada komentar: