In this article, we will look at how to install and configure a Squid proxy server with HTTPS filtering support on Linux (Ubuntu 20.04 in this example).
Most websites on the internet now work over HTTPS. The current version of the squid proxy server available in the Ubuntu repos doesn’t support SSL. Therefore, you cannot use this version of the squid proxy to filter HTTPS traffic. Next, we’ll look at how to build an HTTPS-enabled squid proxy server from the source and configure it for site filtering.
Building a Squid Proxy Server with HTTPS Support
To enable the use of sources in Ubuntu, you need to edit the file:
sudo nano /etc/apt/sources.listUncomment all lines starting with deb-src.
Update the list of packages and install the necessary programs:
sudo apt update
sudo apt install openssl devscripts build-essential dpkg-dev libssl-dev libsasl2-modules-gssapi-mitCreate a directory for squid sources:
mkdir /home/squid
cd /home/squidDownload the squid source files:
sudo apt build-dep squid –y
sudo chmod 777 squid_4.10-1ubuntu1.3.dsc
sudo apt source squid
cd squid-4.10/Open the rules file. You need to specify in the list of enabled modules that you want to compile the squid with SSL support:
--enable-ssl \
--enable-ssl-crtd \
--with-openssl
Build the package from the source files (takes a long time):
sudo dpkg-buildpackage -d
cd ..Now you need to install the packages (will return an error):
sudo dpkg -i *.debIf the previous command returns an error, you need to install the missing dependencies:
sudo apt install -fRepeat installation:
sudo dpkg -i *.debMake sure squid is built with SSL support:
squid -v | grep sslConfiguring Squid as a Transparent HTTPS Proxy
Make a copy of the squid configuration file:
sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.saveClear the config file:
cp /dev/null /etc/squid/squid.confEdit your squid config file:
sudo nano /etc/squid/squid.confAdd the following lines to the squid configuration:
access_log /var/log/squid/access.log squid
acl blacklist url_regex -i "/etc/squid/blacklist"
acl whitelist url_regex -i "/etc/squid/whitelist"
acl localnet src 10.24.1.0/24 # RFC 1918 local private network (LAN1)
acl localnet src 10.20.1.0/24 # RFC 1918 local private network (LAN2)
acl manager proto cache_object
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access allow whitelist
http_access deny blacklist
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localnet
http_access allow localhost
http_access deny all
# Port for HTTP traffic (if specified manually)
http_port 3128
# Transparent port for HTTP traffic
http_port 3129 intercept
# Port for HTTPS traffic (if you specify intercept, it will be transparent)
https_port 3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB tls-cert=/etc/squid/proxyCA.pem tls-key=/etc/squid/proxyCA.pem cipher=HIGH:MEDIUM:!LOW:!RC4:!SEED:!IDEA:!3DES:!MD5:!EXP:!PSK:!DSS options=NO_TLSv1,NO_SSLv3,SINGLE_DH_USE,SINGLE_ECDH_USE tls-dh=prime256v1:/etc/squid/bump_dhparam.pem
sslproxy_cert_error allow all
always_direct allow all
acl whitelist_ssl ssl::server_name_regex "/etc/squid/lists/whitelist"
acl blacklist_ssl ssl::server_name_regex "/etc/squid/lists/blacklist"
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blacklist_ssl
ssl_bump terminate !whitelist_ssl
ssl_bump splice all
#ssl_bump server-first all
#ssl_bump none all
sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/squid/ssl_db -M 4MB
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern \/(Packages|Sources)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
refresh_pattern \/Release(|\.gpg)$ 0 0% 0 refresh-ims
refresh_pattern \/InRelease$ 0 0% 0 refresh-ims
refresh_pattern \/(Translation-.*)(|\.bz2|\.gz|\.xz)$ 0 0% 0 refresh-ims
# example pattern for deb packages
#refresh_pattern (\.deb|\.udeb)$ 129600 100% 129600
refresh_pattern . 0 20% 4320
Create files for the whitelist and blacklist of sites:
sudo touch /etc/squid/blacklist
sudo touch /etc/squid/whitelistBe sure to include at least one site in each file in the following format:
contoso\.com
Now you need to create your own certificate with a key:
cd /etc/squid/
sudo openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem -out proxyCA.pemThen create a certificate to install on users’ computers:
sudo openssl x509 -in proxyCA.pem -outform DER -out squid.derGenerate a parameter file:
sudo openssl dhparam -outform PEM -out /etc/squid/bump_dhparam.pem 2048Set permissions:
sudo chown proxy:proxy /etc/squid/bump_dhparam.pem
sudo chmod 400 /etc/squid/bump_dhparam.pem
sudo chown proxy:proxy /etc/squid/proxyCA.pem
sudo chmod 400 /etc/squid/proxyCA.pem
sudo chown proxy:proxy -R /var/spool/squid
sudo chown proxy:proxy -R /var/log/squid/Create a directory for the certificate base and initialize it:
sudo mkdir -p /var/lib/squid
sudo rm -rf /var/lib/squid/ssl_db
sudo /usr/lib/squid/security_file_certgen -c -s /var/lib/squid/ssl_db -M 4MB
sudo chown -R proxy:proxy /var/lib/squidEnable the ip_forwarding kernel option:
sudo echo 1 >> /proc/sys/net/ipv4/ip_forwardApply the configuration and restart squid:
sudo squid -k reconfigure
sudo systemctl restart squidConfigure forwarding of HTTP and HTTPS traffic to squid listening ports:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3129
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3130This completes the Squid setup. You just need to install the certificate on users’ computers.