Setting up Squid HTTPS Inspection (SSL Bump)

All articles

HTTPS-traffic is encrypted using the SSL (Secure Sockets Layer) protocol. SSL is designed to protect information being transmitted against eavesdropping. However, HTTPS traffic may present security threats, carrying malicious traffic or used as a cover up for illicit employee activities. In addition, Squid HTTPS traffic may not be completely reported by ProxyInspector. With the help of SSL Bump, Squid HTTPS proxy can decrypt and log into access.log requests transmitted over the HTTPS protocol. This in turn enables logging all user requests.

Squid HTTPS proxy: Pre-Requisites

In order for HTTPS Inspection to work, you will need to create a new root certificate:

openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem  -out proxyCA.pem

The certificate is typically created in /etc/squid/ssl_cert/. You will have to ensure that this certificate is installed as a root certificate in all Internet browsers allowed in your organization. In order to make a browser-installable version of this certificate, convert it into the .der format:

openssl x509 -in proxyCA.pem -outform DER -out proxyCA.der

Installing the certificate into Chrome takes just a few clicks. Use Settings | Show advanced settings… | HTTPS/SSL | Manage certificates, then import your newly created certificate into Trusted root certification authorities.

Compiling and configuring Squid HTTPS proxy

Many Linux distributives come with a version of Squid with no SSL(and therefore SSL Bump) support. You will need to build the latest version with the following command line parameters:

./configure \
--with-openssl \
--enable-ssl-crtd

If you need instructions on building Squid 3.5 from source codes, they are available at the following links:

If you are using Windows, most likely your version of Squid HTTPS proxy is already built with SSL support:
Download Squid for Windows.

Edit squid.conf and add the following lines (where /etc/squid/ssl_cert/proxyCA.pem refers to the root certificate you created earlier):

http_port 3128 ssl-bump \
  cert=/etc/squid/ssl_cert/proxyCA.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1

ssl_bump peek step1
ssl_bump bump all

sslproxy_cafile /usr/local/openssl/cabundle.file

Troubleshooting

Some Web sites may throw the “Cannot check root certificate” error or show a similar error message. If this happens, add your root certificate into cabundle.file or disable certificate check via squid.conf (UNSAFE AND NOT RECOMMENDED):

sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER

Logging into access.log

This article describes Squid HTTPS proxy logging setup.

Tags: squid, ssl, ssl bump, https, proxyinspector