5

I'd like to make a HTTPS squid proxy (this kind) that can be used by anyone to access any site. This is not a reverse proxy, it is for the whole internet. For security reasons, IPs on my subnet should not be allowed to be accessed. I got a LetsEncrypt certificate for proxy.mydomain.com and I am wondering how to configure squid correctly for this. Here is my current config file:

########### squid.conf ###########
#
## interface, port and proxy type
#http_port 0.0.0.0:80 transparent
https_port 0.0.0.0:443 intercept tls-cert="/etc/letsencrypt/live/proxy.mydomain.com/fullchain.pem"

## timeouts
forward_timeout 30 seconds
connect_timeout 30 seconds
read_timeout 30 seconds
request_timeout 30 seconds
persistent_request_timeout 1 minute
client_lifetime 20 hours

## host definitions
acl all src 0.0.0.0/0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

http_access deny localnet

## proxy server client access
acl mynetworks src 127.0.0.0/8 10.10.10.0/28
#http_access deny !mynetworks

## max connections per ip
acl maxuserconn src 127.0.0.0/8 10.0.10.0/28
acl limitusercon maxconn 500
http_access deny maxuserconn limitusercon

## disable caching
cache deny all
cache_dir null /tmp

## disable multicast icp
icp_port 0
icp_access deny all

## disable ident lookups
ident_lookup_access deny all

## no-trust for on-the-fly Content-Encoding
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

## logs
logformat combined [%tl] %>A %{Host}>h "%rm %ru HTTP/%rv" %Hs %<st "%{Referer}>h" "%{User-Agent}>h" %Ss:%Sh
access_log /var/log/squid/access.log combined
cache_store_log /var/log/squid/store.log
cache_log  /var/log/squid/cache.log
logfile_rotate 8

## support files
coredump_dir /tmp
pid_filename /var/log/squid/squid.pid

## ports allowed
acl Safe_ports port 80 443
http_access deny !Safe_ports

## ssl ports/method allowed
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !SSL_ports

## protocols allowed
acl Safe_proto proto HTTP SSL
http_access deny !Safe_proto

## methods allowed
acl Safe_method method CONNECT GET HEAD POST OPTIONS PUT PATCH
http_access deny !Safe_method

## allow replies to client requests
http_reply_access allow all

##########  END  ###########

I edited /etc/init.d/squid to run squid with the flag --with-openssl.

Running sudo service squid status results in everything looking fine.

Yet when I try to connect to that proxy via curl -p https://localhost:443 api.ipify.org -v, I get curl: (7) Failed to connect to localhost port 443: Connection refused.

What am I doing wrong?

1 Answers1

0

I don't believe you need to configure an SSL cert within squid in order to run an HTTPS proxy.

If you look at the Accepted Answer on the question you linked to, you should understand why.

For an HTTPS proxy, the connection from your browser to the proxy (proxy.mydomain.com) is not secure, but the first thing the browser does with your proxy is issue the CONNECT command to the proxy to initiate a connection to the HTTPS destination.

So it's HTTPS from your browser to superuser.com and proxy.mydomain.com is just shuffling data, unable to read any of it.

bobpaul
  • 1,909