How to enable HTTPS decryption (SslBump) in Squid 3.5 for Windows?¶
Note
We now have a new project - Web Filtering Proxy for Microsoft Windows. It combines best features of Web Safety but runs natively on Windows. No need to use Hyper-V or dive into Linux specifics. You can enable proxy authentication, HTTPS decryption and filtering with several mouse clicks from Microsoft Management Console. See https://webproxy.diladele.com/.
If you are using our installer for Squid for Windows from http://squid.diladele.com please follow these steps to enable HTTPS decryption (SslBump). By default HTTPS decryption is disabled. Please contact your lawyer before enabling this feature because it might be considered illegal in some countries.
More information is available from the following Squid wiki pages:
From now on we will assume the Squid is installed in c:\squid folder. If this is not so, adjust instructions accordingly.
Warning
Please consider going through the open issues with current Squid for Windows build before using it in production, see https://github.com/diladele/squid-windows/issues. It is almost as easy to use Hyper-V build of latest Squid 4 and Web Safety for your Windows deployments without limitations of the Windows specific build.
Step 1. Generate Root CA certificate¶
In order to perform HTTPS decryption Squid needs to be configured to use self signed Root CA certificate. Take a look at article Manually Regenerate Trusted Root SSL Certificate for Squid for instructions how to generate the required certificate manually from the command line on the Linux system (no instructions for Windows yet).
Save the generated myca.pem and myca.der certificates as c:\squid\etc\squid\myca.pem and c:\squid\etc\squid\myca.der respectively.
Step 2. Configure HTTP listening port in Squid¶
To enable HTTPS decryption we now need to adjust the http_port directive in c:\squid\etc\squid\squid.conf. Make it look like this.
# Squid normally listens to port 3128
http_port 3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/cygdrive/c/squid/etc/squid/myca.pem
Step 3. Regenerate ssl_crtd folder¶
Default installation of Squid for Windows already has ssl_crtd folder correctly configured in c:\squid\var\cache\squid_ssldb but if for some reasons you need to regenerate it manually do the following.
Stop Squid for Windows service using Services management console.
Remove existing c:\squid\var\cache\squid_ssldb folder using Windows Explorer.
Double click Squid Terminal shortcut that MSI installer put on your desktop and run
c:\squid\lib\squid\ssl_crtd.exe -c -s c:\squid\var\cache\squid_ssldb. The output of this command should contain Initialization SSL db…Done lines.
Next add the following directive to c:\squid\etc\squid\squid.conf.
# certificate generation program
sslcrtd_program /cygdrive/c/squid/lib/squid/ssl_crtd -s /cygdrive/c/squid/var/cache/squid_ssldb -M 4MB
Step 4. Create SslBump bypass files¶
Sometimes you need to skip SslBump for some sites or destination IP addresses, for example, your bank or government institution. We will create two files for that purpose. The first file c:\squid\etc\squid\ssl_exclude_domains.conf will contain domain names to bypass decryption (one domain name per line) as shown below.
.example.com
.example.org
.example.net
The second one c:\squid\etc\squid\ssl_exclude_ips.conf will contain destination IP addresses to bypass decryption (one address name per line) as shown below.
1.1.1.1
2.2.2.2
3.3.3.3
Step 5. Enable SslBump in Squid for Windows¶
Finally we need to add the following entries to c:\squid\etc\squid\squid.conf.
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3
acl ssl_exclude_domains ssl::server_name "/cygdrive/c/squid/etc/squid/ssl_exclude_domains.conf"
acl ssl_exclude_ips dst "/cygdrive/c/squid/etc/squid/ssl_exclude_ips.conf"
ssl_bump splice localhost
ssl_bump peek step1 all
ssl_bump splice ssl_exclude_domains
ssl_bump splice ssl_exclude_ips
ssl_bump stare step2 all
ssl_bump bump all
Do not forget to restart Squid for Windows service using Services management console.
Resume¶
Point your browser to Squid proxy, navigate to HTTPS address (for example https://www.diladele.com), click on the lock icon in the browser address bar and make sure the HTTPS certificate was issued by your Squid proxy.
You would also need to install DER public certificate c:\squid\etc\squid\myca.der in all your browsers as explained at Install Trusted Certificates.