Sistemas‎ > ‎Linux‎ > ‎

Instalar/Configurar Squid 3 com HTTPs transparente no CentOS 7

Autor: Silvio Garbes

# ---------------- #
# INSTALAR O SQUID #
# ---------------- #

# vi /etc/selinux/config
  SELINUX=disabled

# setenforce 0
# rpm -Uvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# rpm -Uvh http://mirror.symnds.com/distributions/gf/el/7/gf/x86_64/gf-release-7-10.gf.el7.noarch.rpm

# vi /etc/yum.repos.d/gf.repo
  [gf-plus]
  name=Ghettoforge packages that will overwrite core distro packages.
  mirrorlist=http://mirrorlist.ghettoforge.org/el/7/plus/$basearch/mirrorlist
  # Please read http://ghettoforge.org/index.php/Usage *before* enabling this repository!
  enabled=1
  gpgcheck=1
  gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-gf.el7
  failovermethod=priority

# vi /etc/yum.repos.d/ngtech.repo
  [squid]
  name=Squid repo for CentOS Linux - $basearch
  #IL mirror
  baseurl=http://www1.ngtech.co.il/repo/centos/$releasever/$basearch/
  failovermethod=priority
  enabled=1
  gpgcheck=0

# yum update
# yum install open-vm-tools libxml2 expat-devel openssl-devel libcap libecap ccache libtool-ltdl-devel cppunit cppunit-devel bzr autoconf automake libtool gcc-c++ perl-Pod-MinimumVersion bzip2 ed make openldap-devel  pam-devel db4-devel  libxml2-devel libcap-devel screen vim nettle-devel redhat-lsb-core autoconf-archive perl wget firewalld
# yum install squid squid-helpers
# squid -v
# systemctl enable squid.service
# systemctl enable firewalld.service

# ----------------- #
# CONFIGURAR SQUID #
# ----------------- #

# cd /etc/squid
# mkdir ssl_cert
# chmod 700 ssl_cert
# cd ssl_cert

# openssl req -new -newkey rsa:2048 -sha256 -days 36500 -nodes -x509 -keyout myca.pem -out myca.pem
  Country Name (2 letter code) [XX]:BR
  State or Province Name (full name) []:MEU ESTADO
  Locality Name (eg, city) [Default City]:MINHA CIDADE
  Organization Name (eg, company) [Default Company Ltd]:MINHA EMPRESA
  Organizational Unit Name (eg, section) []:MEU SETOR
  Common Name (eg, your name or your server's hostname) []:SQUID PROXY
  Email Address []:MEU EMAIL

# openssl x509 -in myca.pem -outform DER -out myca.der
# /usr/lib64/squid/ssl_crtd -c -s /var/spool/squid_ssldb
# chown squid:squid -R /var/spool/squid_ssldb
# chown squid:squid -R /etc/squid/ssl_cert
# squid -k parse

# vi /etc/squid/squid.conf
  acl ssl_exclude_domains dstdomain "/etc/squid/acl/ssl_exclude_domains.conf"
  acl ssl_exclude_ip dst "/etc/squid/acl/ssl_exclude_ip.conf"
  acl ssl_skip_bump req_header X-SSL-Bump -i skip
  acl ssl_force_bump req_header X-SSL-Bump -i force
  http_port  3126 intercept
  https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem sslflags=DONT_VERIFY_DOMAIN
  http_port  3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/myca.pem sslflags=DONT_VERIFY_DOMAIN
  sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/spool/squid_ssldb -M 4MB
  sslproxy_cert_error allow all
  sslproxy_flags DONT_VERIFY_PEER

  sslproxy_cipher HIGH:MEDIUM:!AECDH:!ADH:!DES:!SSLv2:+SSLv3:+3DES:!RC4:!MD5:!SEED:!aNULL:!eNULL:!LOW:!EXP:!DSS:!PSK:!SRP:!SEED:!IDEA
  sslproxy_options NO_SSLv2 NO_SSLv3 TLSv1 TLSv1_1 TLSv1_2
  #sslproxy_cafile /etc/pki/tls/certs/ca-bundle.trust.crt
  sslproxy_capath /etc/ssl/certs

  ssl_bump none localhost
  ssl_bump none ssl_exclude_domains
  ssl_bump none ssl_exclude_ip
  ssl_bump none ssl_skip_bump
  ssl_bump server-first ssl_force_bump
  ssl_bump server-first all

  forwarded_for off
  request_header_access Allow allow all
  request_header_access Authorization allow all
  request_header_access WWW-Authenticate allow all
  request_header_access Proxy-Authorization allow all
  request_header_access Proxy-Authenticate allow all
  request_header_access Cache-Control allow all
  request_header_access Content-Encoding allow all
  request_header_access Content-Length allow all
  request_header_access Content-Type allow all
  request_header_access Date allow all
  request_header_access Expires allow all
  request_header_access Host allow all
  request_header_access If-Modified-Since allow all
  request_header_access Last-Modified allow all
  request_header_access Location allow all
  request_header_access Pragma allow all
  request_header_access Accept allow all
  request_header_access Accept-Charset allow all
  request_header_access Accept-Encoding allow all
  request_header_access Accept-Language allow all
  request_header_access Content-Language allow all
  request_header_access Mime-Version allow all
  request_header_access Retry-After allow all
  request_header_access Title allow all
  request_header_access Connection allow all
  request_header_access Proxy-Connection allow all
  request_header_access User-Agent allow all
  request_header_access Cookie allow all
  request_header_access All deny all

# mkdir /etc/squid/acl
# vi /etc/squid/acl/ssl_exclude_domains.conf
  .apple.com
  .itunes.com
  .icloud.com
  .dropbox.com
  .mzstatic.com

# vi /etc/squid/acl/ssl_exclude_ip.conf
  # Bitdefender
  54.174.127.4
  # Dropbox
  162.125.0.0/16
  # Cloudflare
  104.16.0.0/12

# chown squid:squid -R /etc/squid/acl
# squid -k parse
# systemctl restart squid.service
# vi /etc/sysctl.conf
  net.ipv4.ip_forward = 1
# sysctl -p

# systemctl start firewalld.service
# firewall-cmd --set-default-zone=internal
# firewall-cmd --zone=internal --add-interface=ens160
# firewall-cmd --zone=internal --add-service=ssh --permanent
# firewall-cmd --zone=internal --add-service=http --permanent
# firewall-cmd --zone=internal --add-service=https --permanent
# firewall-cmd --zone=internal --add-port=3126/tcp --permanent
# firewall-cmd --zone=internal --add-port=3127/tcp --permanent
# firewall-cmd --zone=internal --add-port=3128/tcp --permanent
# firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i ens160 -p tcp --dport 80 -j REDIRECT --to-port 3126
# firewall-cmd --permanent --direct --add-rule ipv4 nat PREROUTING 0 -i ens160 -p tcp --dport 443 -j REDIRECT --to-port 3127
# firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o ens160 -j MASQUERADE
# firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j ACCEPT
# firewall-cmd --complete-reload
# firewall-cmd --get-active-zones
# firewall-cmd --zone=internal --list-all
# firewall-cmd --direct --get-all-rules

# ---------------------------------------------- #
# INSTALAR CERTIFICADO NO NAVEGADOR DE INTERNET #
# ---------------------------------------------- #

# cd /etc/squid/ssl_cert
Copiar o certificado myca.der para instalar no navegador de internet
[Firefox]
Abra o Firefox -> Opções -> Avançado -> Certificados -> Ver certificados -> Autoridades -> Selecione o certificado (myca.der) -> Marque todas as caixas -> OK -> OK
[Google Chrome]
Abra o Chrome -> Configurações -> Avançadas -> Gerenciar certificados -> Autoridade de certificação raiz confiáveis -> Importar -> Selecione o certificado (myca.der) -> OK -> Fechar


Comments