squid bump
On debian if you want to analyze or cache the content of the ssl traffic with squid, you have to buid your own squid. This is a sample to build squid using apt source package.
build a docker container
make a dockerfile
FROM debian:buster-slim
WORKDIR /tmp/buildwork
RUN echo 'deb-src http://deb.debian.org/debian buster main' >> /etc/apt/sources.list \
&& apt-get update \
&& apt install --no-install-recommends -y dpkg-dev devscripts build-essential fakeroot libssl-dev libldap2-dev libpam0g-dev libdb-dev cdbs libsasl2-dev debhelper libcppunit-dev libkrb5-dev comerr-dev libcap2-dev libecap3-dev libexpat1-dev libxml2-dev pkg-config libnetfilter-conntrack-dev nettle-dev libgnutls28-dev dh-apparmor ed libdbi-perl libltdl-dev lsb-release libpopt0 logrotate squid-langpack \
&& apt source squid \
&& apt clean \
&& rm -rf /var/lib/apt/lists/*
RUN sed -i.bak -e '/--with-gnutls$/ s/$/ --with-openssl --enable-ssl --enable-ssl-crtd/' squid-4.6/debian/rules \
&& squid-4.6/configure \
&& cd squid-4.6 \
&& debuild -us -uc -b \
&& dpkg -i ../squid_*.deb ../squid-common_*.deb \
&& mkdir -p /var/spool/squid /etc/squid/ssl_cert && chown proxy:proxy /var/spool/squid \
&& cd /tmp && rm -rf /tmp/buildwork
VOLUME ["/var/spool/squid"]
EXPOSE 3128
WORKDIR /var/spool/squid
COPY squid.conf /etc/squid/squid.conf
COPY server.crt /etc/squid/ssl_cert/server.crt
COPY server.key /etc/squid/ssl_cert/server.key
CMD chmod 600 /etc/squid/ssl_cert/server.key \
&& if [ ! -f /var/spool/squid/swap.state ]; then squid -z ; fi \
&& if [ ! -d /var/spool/squid/ssl_db ]; then /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 20MB ; chown -R proxy. /var/spool/squid/ssl_db ; fi \
&& squid -N
sample configure file
acl localnet src 192.168.xxx.0/24
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl CONNECT method CONNECT
acl intermediate_fetching transaction_initiator certificate-fetching
http_access allow intermediate_fetching
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
include /etc/squid/conf.d/*
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/ssl_cert/server.crt key=/etc/squid/ssl_cert/server.key
ssl_bump stare all
sslproxy_cert_error allow all
sslcrtd_children 3 startup=1 idle=1
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid
refresh_pattern . 129600 33% 525600
dns_nameservers 192.168.xxx.xxx 192.168.xxx.xxx
If you don't have a CA file and private key for it, you need create them. When you already have them, I think you can use intermediate CA signed by your own CA.
$ openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -subj "/CN=192.168.xxx.xxx" -days 3650
build an image
$ docker build --build-arg http_proxy=http://192.168.xxx.xxx:3142/ -t squid:test .
run a container
$ sudo docker run --rm squid:test squid --version | awk -F: '$1~/options/{print $2}' | sed -e 's/ /\n/g' | grep ssl
'--with-openssl'
'--enable-ssl'
'--enable-ssl-crtd'
$ docker run --rm -p 3128:3128 -v /mnt/squid:/var/spool/squid -d squid:test
test the address and port
$ curl -D - -s http://192.168.xxx.xxx:3128/ -o /dev/null
connecting to HTTPS server
$ https_proxy=http://192.168.xxx.xxx:3128/ curl -v -k -s https://www.google.com/ -o /dev/null
* Uses proxy env variable https_proxy == 'http://192.168.xxx.xxx:3128/'
* Trying 192.168.xxx.xxx...
* TCP_NODELAY set
* Connected to 192.168.xxx.xxx (192.168.xxx.xxx) port 3128 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.google.com:443
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.61.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
:
:
:
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google LLC; CN=www.google.com
* start date: May 10 04:04:06 2021 GMT
* expire date: Aug 2 04:04:05 2021 GMT
* issuer: CN=192.168.xxx.xxx
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
} [5 bytes data]
> GET / HTTP/1.1
> Host: www.google.com
> User-Agent: curl/7.61.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Date: Wed, 09 Jun 2021 00:22:42 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
< Server: gws
< X-XSS-Protection: 0
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: 1P_JAR=2021-06-09-00; expires=Fri, 09-Jul-2021 00:22:42 GMT; path=/; domain=.google.com; Secure
< Set-Cookie: NID=216=ptf-d_HIPGOAjnEf-gbmRDmIg3JnEfjqRRnQghOkyFHrdLy5fXGOhydj5jBHonqOlP5WCzPIKX3kIkdizOXCQ13t4moqXwr-UoOWiRXgYaAkx6gyqe03hjM_hwfin5plUuG3NClONGvvFJo5Mqvar7GFYrSFYOMVCXMXvTJ0d4M; expires=Thu, 09-Dec-2021 00:22:42 GMT; path=/; domain=.google.com; HttpOnly
< Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
< Accept-Ranges: none
< Vary: Accept-Encoding
< X-Cache: MISS from bd2e0fa8b95e
< X-Cache-Lookup: MISS from bd2e0fa8b95e:3128
< Transfer-Encoding: chunked
< Via: 1.1 bd2e0fa8b95e (squid/4.6)
< Connection: keep-alive
<
{ [5 bytes data]
* Connection #0 to host 192.168.xxx.xxx left intact
sample log of other connections
1622798061.167 833 192.168.xxx.xxx NONE/200 0 CONNECT dl.fedoraproject.org:443 - HIER_DIRECT/38.145.60.22 -
1622798061.539 260 192.168.xxx.xxx TCP_MISS/200 16108 GET https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm - HIER_DIRECT/38.145.60.22 application/x-rpm
1622798109.029 496 192.168.xxx.xxx NONE/200 0 CONNECT dl.fedoraproject.org:443 - HIER_DIRECT/38.145.60.22 -
1622798109.130 1 192.168.xxx.xxx TCP_MEM_HIT/200 16115 GET https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm - HIER_NONE/- application/x-rpm