Instalar/Configurar Squid 3 com HTTPs transparente no CentOS 7

Autor: Silvio Garbes

# ---------------- #

# INSTALAR O SQUID #

# ---------------- #

# vi /etc/selinux/config

SELINUX=disabled

# setenforce 0

# rpm -Uvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

# rpm -Uvh http://mirror.symnds.com/distributions/gf/el/7/gf/x86_64/gf-release-7-10.gf.el7.noarch.rpm

# vi /etc/yum.repos.d/gf.repo

[gf-plus]

name=Ghettoforge packages that will overwrite core distro packages.

mirrorlist=http://mirrorlist.ghettoforge.org/el/7/plus/$basearch/mirrorlist

# Please read http://ghettoforge.org/index.php/Usage *before* enabling this repository!

enabled=1

gpgcheck=1

gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-gf.el7

failovermethod=priority

# vi /etc/yum.repos.d/ngtech.repo

[squid]

name=Squid repo for CentOS Linux - $basearch

#IL mirror

baseurl=http://www1.ngtech.co.il/repo/centos/$releasever/$basearch/

failovermethod=priority

enabled=1

gpgcheck=0

# yum update

# yum install open-vm-tools libxml2 expat-devel openssl-devel libcap libecap ccache libtool-ltdl-devel cppunit cppunit-devel bzr autoconf automake libtool gcc-c++ perl-Pod-MinimumVersion bzip2 ed make openldap-devel pam-devel db4-devel libxml2-devel libcap-devel screen vim nettle-devel redhat-lsb-core autoconf-archive perl wget firewalld

# yum install squid squid-helpers

# squid -v

# systemctl enable squid.service

# systemctl enable firewalld.service

# ----------------- #

# CONFIGURAR SQUID #

# ----------------- #

# cd /etc/squid

# mkdir ssl_cert

# chmod 700 ssl_cert

# cd ssl_cert

# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -keyout myca.pem -out myca.pem

Country Name (2 letter code) [XX]:BR

State or Province Name (full name) []:MEU ESTADO

Locality Name (eg, city) [Default City]:MINHA CIDADE

Organization Name (eg, company) [Default Company Ltd]:MINHA EMPRESA

Organizational Unit Name (eg, section) []:MEU SETOR

Common Name (eg, your name or your server's hostname) []:SQUID PROXY

Email Address []:MEU EMAIL

# openssl x509 -in myca.pem -outform DER -out myca.der

# /usr/lib64/squid/ssl_crtd -c -s /var/spool/squid_ssldb

# chown squid:squid -R /var/spool/squid_ssldb

# chown squid:squid -R /etc/squid/ssl_cert

# squid -k parse

# vi /etc/squid/squid.conf

acl ssl_exclude_domains dstdomain "/etc/squid/acl/ssl_exclude_domains.conf"

acl ssl_exclude_ip dst "/etc/squid/acl/ssl_exclude_ip.conf"

acl ssl_skip_bump req_header X-SSL-Bump -i skip

acl ssl_force_bump req_header X-SSL-Bump -i force

http_port 3126 intercept

https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem sslflags=DONT_VERIFY_DOMAIN

http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem sslflags=DONT_VERIFY_DOMAIN

sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB

sslproxy_cert_error allow all

sslproxy_flags DONT_VERIFY_PEER

sslproxy_cipher HIGH:MEDIUM:!AECDH:!ADH:!DES:!SSLv2:+SSLv3:+3DES:!RC4:!MD5:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP:!SEED:!IDEA

sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2

#sslproxy_cafile /etc/pki/tls/certs/ca-bundle.trust.crt

sslproxy_capath /etc/ssl/certs

ssl_bump none localhost

ssl_bump none ssl_exclude_domains

ssl_bump none ssl_exclude_ip

ssl_bump none ssl_skip_bump

ssl_bump server-first ssl_force_bump

ssl_bump server-first all

forwarded_for off

request_header_access Allow allow all

request_header_access Authorization allow all

request_header_access WWW-Authenticate allow all

request_header_access Proxy-Authorization allow all

request_header_access Proxy-Authenticate allow all

request_header_access Cache-Control allow all

request_header_access Content-Encoding allow all

request_header_access Content-Length allow all

request_header_access Content-Type allow all

request_header_access Date allow all

request_header_access Expires allow all

request_header_access Host allow all

request_header_access If-Modified-Since allow all

request_header_access Last-Modified allow all

request_header_access Location allow all

request_header_access Pragma allow all

request_header_access Accept allow all

request_header_access Accept-Charset allow all

request_header_access Accept-Encoding allow all

request_header_access Accept-Language allow all

request_header_access Content-Language allow all

request_header_access Mime-Version allow all

request_header_access Retry-After allow all

request_header_access Title allow all

request_header_access Connection allow all

request_header_access Proxy-Connection allow all

request_header_access User-Agent allow all

request_header_access Cookie allow all

request_header_access All deny all

# mkdir /etc/squid/acl

# vi /etc/squid/acl/ssl_exclude_domains.conf

.apple.com

.itunes.com

.icloud.com

.dropbox.com

.mzstatic.com

# vi /etc/squid/acl/ssl_exclude_ip.conf

# Bitdefender

54.174.127.4

# Dropbox

162.125.0.0/16

# Cloudflare

104.16.0.0/12

# chown squid:squid -R /etc/squid/acl

# squid -k parse

# systemctl restart squid.service

# vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

# sysctl -p

# systemctl start firewalld.service

# firewall-cmd --set-default-zone=internal

# firewall-cmd --zone=internal --add-interface=ens160

# firewall-cmd --zone=internal --add-service=ssh --permanent

# firewall-cmd --zone=internal --add-service=http --permanent

# firewall-cmd --zone=internal --add-service=https --permanent

# firewall-cmd --zone=internal --add-port=3126/tcp --permanent

# firewall-cmd --zone=internal --add-port=3127/tcp --permanent

# firewall-cmd --zone=internal --add-port=3128/tcp --permanent

# firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i ens160 -p tcp --dport 80 -j REDIRECT --to-port 3126

# firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i ens160 -p tcp --dport 443 -j REDIRECT --to-port 3127

# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o ens160 -j MASQUERADE

# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j ACCEPT

# firewall-cmd --complete-reload

# firewall-cmd --get-active-zones

# firewall-cmd --zone=internal --list-all

# firewall-cmd --direct --get-all-rules

# ---------------------------------------------- #

# INSTALAR CERTIFICADO NO NAVEGADOR DE INTERNET #

# ---------------------------------------------- #

# cd /etc/squid/ssl_cert

Copiar o certificado myca.der para instalar no navegador de internet

[Firefox]

Abra o Firefox -> Opções -> Avançado -> Certificados -> Ver certificados -> Autoridades -> Selecione o certificado (myca.der) -> Marque todas as caixas -> OK -> OK

[Google Chrome]

Abra o Chrome -> Configurações -> Avançadas -> Gerenciar certificados -> Autoridade de certificação raiz confiáveis -> Importar -> Selecione o certificado (myca.der) -> OK -> Fechar