Squid SSL Decryption with FreeBSD

# pkg update
# pkg search squid
squid-4.9                      HTTP Caching Proxy
# pkg install squid-4.9
# sysrc squid_enable=YES
# squid -z

It should not be necessary to compile squid from ports as the required options ‘--with-openssl‘ and ‘--enable-ssl-crtd‘ are already present. This can be confirmed by checking the output of:

# squid -v

Next edit the openssl configuration, adding a single line under the [v3_ca] section. [v3_ca] is merely a section header for a X.509 version 3 Certificate Authority certificate where we will list particular extensions we want present. In our use case we need to add the keyUsage and specify two usage types which are typical for the CA public key.

# /etc/ssl/openssl.cnf

[v3_ca]
keyUsage = cRLSign, keyCertSign

Create the folder structure and assign the correct permissions for holding the Squid proxy self-signed root CA:

# mkdir /usr/local/etc/squid/ssl_cert -p
# chown squid:squid /usr/local/etc/squid/ssl_cert -R
# chmod 700 /usr/local/etc/squid/ssl_cert -R
# cd /usr/local/etc/squid/ssl_cert
# openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -extensions v3_ca -keyout cs7_squid_ca.pem -out cs7_squid_ca.pem
Generating a RSA private key
............................................+++++
................................................................................................................................+++++
writing new private key to 'cs7_squid_ca.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Hampshire
Locality Name (eg, city) []:Southampton
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CS7 Networks Ltd
Organizational Unit Name (eg, section) []:Networks
Common Name (e.g. server FQDN or YOUR name) []:bsdsquid.cs7networks.co.uk
Email Address []:

Export the self-signed CA certificate ready to be installed on client machines.

# openssl x509 -in cs7_squid_ca.pem -outform DER -out cs7_squid_ca.der
Import the certificate into Firefox
Firefox Certificate Manager

As and when Squid requires the generation of new certificates this task is handled by security_file_certgen. Any certificate generated is signed by the Squid CA and then stored in the certificate cache. But first we need to create this certificate cache and set its permissions:

# /usr/local/libexec/squid/security_file_certgen -c -s /var/log/squid/ssl_db -M 8MB
# chown -R squid:squid /var/log/squid/ssl_db/
# /usr/local/etc/squid/squid.conf

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=8MB cert=/usr/local/etc/squid/ssl_cert/cs7_squid_ca.pem
# service squid start
Navigate to any HTTPS secured website and note that your self-signed CA has signed the squid generated certificate

Once it is up and running we can access the squid manager page at the following URL http://<squid_cache>/squid-internal-mgr/info

A full list of squid statistic pages can be found at ‘http://squid-internal-mgr/menu&#8217;

Now lets configured some monitoring to see what the cache is doing.

# pkg install monitorix

By default monitorix comes with a lightweight HTTP server, this mean all we need to is enable the graphs for squid:

# /usr/local/etc/monitorix.conf
squid        =y
# echo monitorix_enable=\"YES\" >> /etc/rc.conf
# /usr/local/etc/rc.d/monitorix start

Navigate to http://<squid_server_ip&gt;:8080/monitorix

Note: I also tried Munin and squidanalyzer but was unable to get any stats graphed. Certainly the log paths were incorrect with the Munin Perl files, but even correcting them didn’t yield any results. Monitorix was the only solution to work straight away albeit with graphs on the right not working!

Squid does offer a SNMP agent so in the next post I’ll look at leveraging those OIDs: https://wiki.squid-cache.org/Features/Snmp

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: