Squid https aufbrechen: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 19: | Zeile 19: | ||
*openssl x509 -inform PEM -in $CERT -out $CA_CERT_D/squid_proxyCA.crt | *openssl x509 -inform PEM -in $CERT -out $CA_CERT_D/squid_proxyCA.crt | ||
*update-ca-certificates | *update-ca-certificates | ||
| + | =Die squid.conf= | ||
| + | <pre> | ||
| + | acl SSL_ports port 443 | ||
| + | |||
| + | acl Safe_ports port 80 # http | ||
| + | acl Safe_ports port 21 # ftp | ||
| + | acl Safe_ports port 443 # https | ||
| + | acl Safe_ports port 1025-65535 # unregistered ports | ||
| + | |||
| + | acl purge method PURGE | ||
| + | acl CONNECT method CONNECT | ||
| + | acl lan src 10.0.10.0/24 | ||
| + | |||
| + | http_access allow manager localhost | ||
| + | http_access deny manager | ||
| + | |||
| + | http_access allow purge localhost | ||
| + | http_access deny purge | ||
| + | |||
| + | http_access deny !Safe_ports | ||
| + | http_access deny CONNECT !SSL_ports | ||
| + | |||
| + | http_access allow lan | ||
| + | http_access allow localhost | ||
| + | http_access deny all | ||
| + | |||
| + | http_port 3128 ssl-bump cert=/etc/squid/certs/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE | ||
| + | ssl_bump bump all | ||
| + | |||
| + | coredump_dir /var/spool/squid | ||
| + | logfile_rotate 0 | ||
| + | |||
| + | refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 | ||
| + | refresh_pattern . 0 20% 4320 | ||
| + | |||
| + | cache_dir ufs /var/spool/squid 200 16 256 | ||
| + | |||
| + | </pre> | ||
| + | =Restart von Squid= | ||
| + | *systemctl restart squid | ||
| + | |||
=Die squid.conf= | =Die squid.conf= | ||
<pre> | <pre> | ||
Version vom 24. September 2022, 13:02 Uhr
Installation von squid
- Wir brauchen eine angepasste Version von squid
- Diese können wir selbst komplilieren oder das squid-openssl Paket von nutzen
- apt install squid-openssl
Erstellen eines Selbstsignierten Zertifikates
- Variablen setzen und Verzeichnis anlegen
- CERT_D=/etc/squid/certs/
- CERT=$CERT_D/squid_proxyCA.pem
- rm -rf $CERT
- mkdir -p $CERT_D
- Generieren Sie ein lokales selbstsigniertes CA-Zertifikat und geheimen Schlüssel (in derselben Datei))
- openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout $CERT -out $CERT
- chown -R proxy:proxy $CERT_D
- chmod 0400 $CERT
- füge das squid_proxyCA-Zertifikat zum System hinzu, damit es standardmäßig vertrauenswürdig ist
- CA_CERT_D=/usr/local/share/ca-certificates
- rm -rf $CA_CERT_D/*
- mkdir -p $CA_CERT_D
- openssl x509 -inform PEM -in $CERT -out $CA_CERT_D/squid_proxyCA.crt
- update-ca-certificates
Die squid.conf
acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl purge method PURGE acl CONNECT method CONNECT acl lan src 10.0.10.0/24 http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow lan http_access allow localhost http_access deny all http_port 3128 ssl-bump cert=/etc/squid/certs/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE ssl_bump bump all coredump_dir /var/spool/squid logfile_rotate 0 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_dir ufs /var/spool/squid 200 16 256
Restart von Squid
- systemctl restart squid
Die squid.conf
acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl purge method PURGE acl CONNECT method CONNECT acl lan src 10.0.10.0/24 http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow lan http_access allow localhost http_access deny all http_port 3128 ssl-bump cert=/etc/squid/certs/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1,SINGLE_DH_USE,SINGLE_ECDH_USE ssl_bump bump all coredump_dir /var/spool/squid logfile_rotate 0 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_dir ufs /var/spool/squid 200 16 256