HTTPS-traffic is encrypted using the SSL (Secure Sockets Layer) protocol. SSL is designed to protect information being transmitted against eavesdropping. However, HTTPS traffic may present security threats, carrying malicious traffic or used as a cover up for illicit employee activities. In addition, Squid HTTPS traffic may not be completely reported by ProxyInspector. With the help of SSL Bump, Squid HTTPS proxy can decrypt and log into access.log requests transmitted over the HTTPS protocol. This in turn enables logging all user requests.
In order for HTTPS Inspection to work, you will need to create a new root certificate:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem -out proxyCA.pem
The certificate is typically created in /etc/squid/ssl_cert/. You will have to ensure that this certificate is installed as a root certificate in all Internet browsers allowed in your organization. In order to make a browser-installable version of this certificate, convert it into the .der format:
openssl x509 -in proxyCA.pem -outform DER -out proxyCA.der
Installing the certificate into Chrome takes just a few clicks. Use Settings | Show advanced settings… | HTTPS/SSL | Manage certificates, then import your newly created certificate into Trusted root certification authorities.
Many Linux distributives come with a version of Squid with no SSL(and therefore SSL Bump) support. You will need to build the latest version with the following command line parameters:
./configure \ --with-openssl \ --enable-ssl-crtd
If you need instructions on building Squid 3.5 from source codes, they are available at the following links:
If you are using Windows, most likely your version of Squid HTTPS proxy is already built with SSL support:
Download Squid for Windows.
Edit squid.conf and add the following lines (where /etc/squid/ssl_cert/proxyCA.pem refers to the root certificate you created earlier):
http_port 3128 ssl-bump \ cert=/etc/squid/ssl_cert/proxyCA.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all sslproxy_cafile /usr/local/openssl/cabundle.file
Some Web sites may throw the “Cannot check root certificate” error or show a similar error message. If this happens, add your root certificate into cabundle.file or disable certificate check via squid.conf (UNSAFE AND NOT RECOMMENDED):
sslproxy_cert_error allow all sslproxy_flags DONT_VERIFY_PEER
This article describes Squid HTTPS proxy logging setup.