Skip to main content

squid nobump

The squid packages of debian doesn not support sslbump. It only redirects ssl traffic. We can not analyze or cache the content of the ssl traffic.

build a docker container

make a dockerfile

FROM debian:buster-slim

RUN apt-get update \
&& apt install -y squid \
s&& apt clean \
&& rm -rf /var/lib/apt/lists/*

VOLUME ["/var/spool/squid"]
EXPOSE 3128

WORKDIR /var/spool/squid
COPY squid.conf /etc/squid/squid.conf

CMD if [ ! -f /var/spool/squid/swap.state ]; then squid -z ; sleep 2; fi \
&& squid -N

sample configure file

acl localnet src 192.168.xxx.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern .               129600  33%     525600
dns_nameservers 192.168.xxx.xxx 192.168.xxx.xxx

build an image

$ docker build --build-arg http_proxy=http://192.168.xxx.xxx:3142/ -t squid:test .

run a container

$ docker run --rm squid:test squid --version | awk -F: '$1~/options/{print $2}' | sed -e 's/ /\n/g' | grep ssl
(result will be nothing)
$ docker run --rm -p 3128:3128 -v /mnt/squid:/var/spool/squid -d squid:test

test the address and port

$ curl -D - -s http://192.168.xxx.xxx:3128/ -o /dev/null

connecting to HTTP server

without proxy

$ curl -v -s http://ftp.yz.yamagata-u.ac.jp/pub/linux/centos/5.11/readme -o /dev/null
*   Trying 2001:df0:25e:e100::3...
* TCP_NODELAY set
* Connected to ftp.yz.yamagata-u.ac.jp (2001:df0:25e:e100::3) port 80 (#0)
> GET /pub/linux/centos/5.11/readme HTTP/1.1
> Host: ftp.yz.yamagata-u.ac.jp
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 07 Jun 2021 00:59:01 GMT
< Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1k
< Upgrade: h2,h2c
< Connection: Upgrade
< Last-Modified: Mon, 03 Apr 2017 11:34:28 GMT
< ETag: "14b-54c418ac05900"
< Accept-Ranges: bytes
< Content-Length: 331
<
{ [331 bytes data]
* Connection #0 to host ftp.yz.yamagata-u.ac.jp left intact

with proxy

$ http_proxy=http://192.168.xxx.xxx:3128/ curl -v -s http://ftp.yz.yamagata-u.ac.jp/pub/linux/centos/5.11/readme -o /dev/null
* Uses proxy env variable http_proxy == 'http://192.168.xxx.xxx:3128/'
*   Trying 192.168.xxx.xxx...
* TCP_NODELAY set
* Connected to 192.168.xxx.xxx (192.168.xxx.xxx) port 3128 (#0)
> GET http://ftp.yz.yamagata-u.ac.jp/pub/linux/centos/5.11/readme HTTP/1.1
> Host: ftp.yz.yamagata-u.ac.jp
> User-Agent: curl/7.64.0
> Accept: */*
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 OK
< Date: Mon, 07 Jun 2021 00:58:26 GMT
< Server: Apache/2.4.46 (Unix) OpenSSL/1.1.1k
< Last-Modified: Mon, 03 Apr 2017 11:34:28 GMT
< ETag: "14b-54c418ac05900"
< Accept-Ranges: bytes
< Content-Length: 331
< X-Cache: MISS from e3b21f81fdd2
< X-Cache-Lookup: MISS from e3b21f81fdd2:3128
< Via: 1.1 e3b21f81fdd2 (squid/4.6)
< Connection: keep-alive
<
{ [331 bytes data]
* Connection #0 to host 192.168.xxx.xxx left intact

when cache hit

< Age: 358
< X-Cache: HIT from e3b21f81fdd2
< X-Cache-Lookup: HIT from e3b21f81fdd2:3128

squid log

$ docker exec xxxxxxxxxxxx tail /var/log/squid/access.log
:
1623026732.001    265 192.168.xxx.xxx TCP_MISS/200 685 GET http://ftp.yz.yamagata-u.ac.jp/pub/linux/centos/5.11/readme - HIER_DIRECT/133.24.248.17 -
1623027089.025      0 192.168.xxx.xxx TCP_MEM_HIT/200 693 GET http://ftp.yz.yamagata-u.ac.jp/pub/linux/centos/5.11/readme - HIER_NONE/- -

connecting to HTTPS server

without proxy

$ curl -v -k -s https://www.google.com/ -o /dev/null 
*   Trying 142.250.196.132...
* TCP_NODELAY set
* Connected to www.google.com (142.250.196.132) port 443 (#0)
:

with proxy

$ https_proxy=http://192.168.xxx.xxx:3128/ curl -v -k -s https://www.google.com/ -o /dev/null 
* Uses proxy env variable https_proxy == 'http://192.168.xxx.xxx:3128/'
*   Trying 192.168.xxx.xxx...
* TCP_NODELAY set
* Connected to 192.168.xxx.xxx (192.168.xxx.xxx) port xxxxx (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.61.1
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
:

squid log. The ssl connection is just tunneled.

$ sudo docker exec xxxxxxxxxxxx tail /var/log/squid/access.log
:
1622950724.481    170 192.168.xxx.xxx TCP_TUNNEL/200 18439 CONNECT www.google.com:443 - HIER_DIRECT/172.217.175.4 -