created: 20151016154223821
creator: user
modified: 20151026164234090
modifier: user
tags: 
title: Squid sslbump
type: text/vnd.tiddlywiki


; Setting up Explicit Squid Proxy
: http://wiki.alpinelinux.org/wiki/Setting_up_Explicit_Squid_Proxy#Behaviour_with_SSL_interception

; Regenerate SSL Certificates for Squid
: http://docs.diladele.com/administrator_guide_4_0/system_configuration/https_filtering/generate_certificates.html



/usr/local/var/etc/squid/squid.conf

```conf
# Squid listening port
# http_port 3128
## Disable SSLv2 because it isn't safe
http_port 3128 ssl-bump cert=/usr/local/var/etc/squid/squid.pem key=/usr/local/var/etc/squid/squid.pem generate-host-certificates=on options=NO_SSLv2 dynamic_cert_mem_cache_size=10MB

## Always complete the server-side handshake before client-side (recommended)
ssl_bump server-first all
## Allow server side certificate errors such as untrusted certificates, otherwise the connection is closed for such errors
sslproxy_cert_error allow all
## Or maybe deny all server side certificate errors according to your company policy
#sslproxy_cert_error deny all
## Accept certificates that fail verification (should only be needed if using 'sslproxy_cert_error allow all')
sslproxy_flags DONT_VERIFY_PEER
```

```bash
$ openssl req -newkey rsa:4096 -x509 -keyout /usr/local/var/etc/squid/squid.pem -out /usr/local/var/etc/squid/squid.pem -days 365 -nodes
$ sudo mkdir /usr/local/var/lib
$ sudo /usr/local/opt/squid/libexec/ssl_crtd -c -s /usr/local/var/lib/ssl_db
$ sudo chown -R nobody  /usr/local/var/lib/ssl_db
```