Instalar/Configurar Squid 3 com HTTPs transparente no CentOS 7
Autor: Silvio Garbes
# ---------------- #
# INSTALAR O SQUID #
# ---------------- #
# vi /etc/selinux/config
SELINUX=disabled
# setenforce 0
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -Uvh http://mirror.symnds.com/distributions/gf/el/7/gf/x86_64/gf-release-7-10.gf.el7.noarch.rpm
# vi /etc/yum.repos.d/gf.repo
[gf-plus]
name=Ghettoforge packages that will overwrite core distro packages.
mirrorlist=http://mirrorlist.ghettoforge.org/el/7/plus/$basearch/mirrorlist
# Please read http://ghettoforge.org/index.php/Usage *before* enabling this repository!
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-gf.el7
failovermethod=priority
# vi /etc/yum.repos.d/ngtech.repo
[squid]
name=Squid repo for CentOS Linux - $basearch
#IL mirror
baseurl=http://www1.ngtech.co.il/repo/centos/$releasever/$basearch/
failovermethod=priority
enabled=1
gpgcheck=0
# yum update
# yum install open-vm-tools libxml2 expat-devel openssl-devel libcap libecap ccache libtool-ltdl-devel cppunit cppunit-devel bzr autoconf automake libtool gcc-c++ perl-Pod-MinimumVersion bzip2 ed make openldap-devel pam-devel db4-devel libxml2-devel libcap-devel screen vim nettle-devel redhat-lsb-core autoconf-archive perl wget firewalld
# yum install squid squid-helpers
# squid -v
# systemctl enable squid.service
# systemctl enable firewalld.service
# ----------------- #
# CONFIGURAR SQUID #
# ----------------- #
# cd /etc/squid
# mkdir ssl_cert
# chmod 700 ssl_cert
# cd ssl_cert
# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -keyout myca.pem -out myca.pem
Country Name (2 letter code) [XX]:BR
State or Province Name (full name) []:MEU ESTADO
Locality Name (eg, city) [Default City]:MINHA CIDADE
Organization Name (eg, company) [Default Company Ltd]:MINHA EMPRESA
Organizational Unit Name (eg, section) []:MEU SETOR
Common Name (eg, your name or your server's hostname) []:SQUID PROXY
Email Address []:MEU EMAIL
# openssl x509 -in myca.pem -outform DER -out myca.der
# /usr/lib64/squid/ssl_crtd -c -s /var/spool/squid_ssldb
# chown squid:squid -R /var/spool/squid_ssldb
# chown squid:squid -R /etc/squid/ssl_cert
# squid -k parse
# vi /etc/squid/squid.conf
acl ssl_exclude_domains dstdomain "/etc/squid/acl/ssl_exclude_domains.conf"
acl ssl_exclude_ip dst "/etc/squid/acl/ssl_exclude_ip.conf"
acl ssl_skip_bump req_header X-SSL-Bump -i skip
acl ssl_force_bump req_header X-SSL-Bump -i force
http_port 3126 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem sslflags=DONT_VERIFY_DOMAIN
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem sslflags=DONT_VERIFY_DOMAIN
sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cipher HIGH:MEDIUM:!AECDH:!ADH:!DES:!SSLv2:+SSLv3:+3DES:!RC4:!MD5:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP:!SEED:!IDEA
sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2
#sslproxy_cafile /etc/pki/tls/certs/ca-bundle.trust.crt
sslproxy_capath /etc/ssl/certs
ssl_bump none localhost
ssl_bump none ssl_exclude_domains
ssl_bump none ssl_exclude_ip
ssl_bump none ssl_skip_bump
ssl_bump server-first ssl_force_bump
ssl_bump server-first all
forwarded_for off
request_header_access Allow allow all
request_header_access Authorization allow all
request_header_access WWW-Authenticate allow all
request_header_access Proxy-Authorization allow all
request_header_access Proxy-Authenticate allow all
request_header_access Cache-Control allow all
request_header_access Content-Encoding allow all
request_header_access Content-Length allow all
request_header_access Content-Type allow all
request_header_access Date allow all
request_header_access Expires allow all
request_header_access Host allow all
request_header_access If-Modified-Since allow all
request_header_access Last-Modified allow all
request_header_access Location allow all
request_header_access Pragma allow all
request_header_access Accept allow all
request_header_access Accept-Charset allow all
request_header_access Accept-Encoding allow all
request_header_access Accept-Language allow all
request_header_access Content-Language allow all
request_header_access Mime-Version allow all
request_header_access Retry-After allow all
request_header_access Title allow all
request_header_access Connection allow all
request_header_access Proxy-Connection allow all
request_header_access User-Agent allow all
request_header_access Cookie allow all
request_header_access All deny all
# mkdir /etc/squid/acl
# vi /etc/squid/acl/ssl_exclude_domains.conf
.apple.com
.itunes.com
.icloud.com
.dropbox.com
.mzstatic.com
# vi /etc/squid/acl/ssl_exclude_ip.conf
# Bitdefender
54.174.127.4
# Dropbox
162.125.0.0/16
# Cloudflare
104.16.0.0/12
# chown squid:squid -R /etc/squid/acl
# squid -k parse
# systemctl restart squid.service
# vi /etc/sysctl.conf
net.ipv4.ip_forward = 1
# sysctl -p
# systemctl start firewalld.service
# firewall-cmd --set-default-zone=internal
# firewall-cmd --zone=internal --add-interface=ens160
# firewall-cmd --zone=internal --add-service=ssh --permanent
# firewall-cmd --zone=internal --add-service=http --permanent
# firewall-cmd --zone=internal --add-service=https --permanent
# firewall-cmd --zone=internal --add-port=3126/tcp --permanent
# firewall-cmd --zone=internal --add-port=3127/tcp --permanent
# firewall-cmd --zone=internal --add-port=3128/tcp --permanent
# firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i ens160 -p tcp --dport 80 -j REDIRECT --to-port 3126
# firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i ens160 -p tcp --dport 443 -j REDIRECT --to-port 3127
# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o ens160 -j MASQUERADE
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j ACCEPT
# firewall-cmd --complete-reload
# firewall-cmd --get-active-zones
# firewall-cmd --zone=internal --list-all
# firewall-cmd --direct --get-all-rules
# ---------------------------------------------- #
# INSTALAR CERTIFICADO NO NAVEGADOR DE INTERNET #
# ---------------------------------------------- #
# cd /etc/squid/ssl_cert
Copiar o certificado myca.der para instalar no navegador de internet
[Firefox]
Abra o Firefox -> Opções -> Avançado -> Certificados -> Ver certificados -> Autoridades -> Selecione o certificado (myca.der) -> Marque todas as caixas -> OK -> OK
[Google Chrome]
Abra o Chrome -> Configurações -> Avançadas -> Gerenciar certificados -> Autoridade de certificação raiz confiáveis -> Importar -> Selecione o certificado (myca.der) -> OK -> Fechar