使用SSL在Debian 10上建立squid透明代理

Question

Debian 10使用squid作为透明代理。现在要添加SSL。

# apt-get install openssl
# mkdir -p /etc/squid/cert
# cd /etc/squid/cert
# openssl req -new -newkey rsa:4096 -sha256 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem
# openssl x509 -in myCA.pem -outform DER -out myCA.der
# 

# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j DNAT --to 192.168.1.51:3129
# iptables -t nat -A PREROUTING -i br0 -p tcp --dport 443 -j REDIRECT --to-port 3129
# iptables-save > /etc/iptables/rules.v4

问题1:现在我读到的是，接下来我需要

/usr/lib/squid/security_file_certgen -c -s /var/cache/squid/ssl_db -M 4MB

但是，我在我的系统上找不到security_file_certgen。

问题2:如果我现在继续添加squid.conf：

https_port 3129 intercept ssl-bump cert=/etc/squid/cert/myCA.pem generate-host-certificates=on

然后鱿鱼就没能启动：

2020/10/07 14:09:27| FATAL: Unknown https_port option 'ssl-bump'.
2020/10/07 14:09:27| FATAL: Bungled /etc/squid/squid.conf line 5: https_port 3129 int
2020/10/07 14:09:27| Squid Cache (Version 4.6): Terminated abnormally.
CPU Usage: 0.017 seconds = 0.017 user + 0.000 sys
Maximum Resident Size: 57792 KB
Page faults with physical i/o: 0
FATAL: Bungled /etc/squid/squid.conf line 5: https_port 3129 intercept ssl-bump cert=
squid.service: Control process exited, code=exited, status=1/FAILURE
squid.service: Failed with result 'exit-code'.
Failed to start Squid Web Proxy Server.

我注意到squid -v既不包含--enable-ssl-crtd也不包含--with-openssl，但我不知道该如何处理。

更新

在撰写本报告时，互联网上的所有指南都已过时，因为https://wiki.squid-cache.org/Features/SslBump ssl-bump

已被https://wiki.squid-cache.org/Features/BumpSslServerFirstserver-first取代，server-first已被https://wiki.squid-cache.org/Features/SslPeekAndSplicepeek-n-splice取代。

我希望这能让我从https://serverfault.com/questions/743483/transparent-http-https-domain-filtering-proxy那里获得成功：

https_port 3129 intercept ssl-bump
ssl_bump peek all
ssl_bump splice all

但不是：

2020/10/08 09:57:49| FATAL: Unknown https_port option 'ssl-bump'.
2020/10/08 09:57:49| FATAL: Bungled /etc/squid/squid.conf line 6: https_port 3129 int
2020/10/08 09:57:49| Squid Cache (Version 4.6): Terminated abnormally.
CPU Usage: 0.017 seconds = 0.008 user + 0.008 sys
Maximum Resident Size: 57152 KB
Page faults with physical i/o: 0
FATAL: Bungled /etc/squid/squid.conf line 6: https_port 3129 intercept ssl-bump
squid.service: Control process exited, code=exited, status=1/FAILURE
squid.service: Failed with result 'exit-code'.
Failed to start Squid Web Proxy Server.

更新:用SSL

编译squid

# cd ~
# mkdir squid-build
# cd squid-build
# apt-get install openssh-server net-tools
# apt-get install openssl devscripts build-essential fakeroot libdbi-perl libssl-dev# libssl1.0-dev
# apt-get install dpkg-dev
# apt-get source squid
# apt-get build-dep squid
# cd squid-4.6/
# vi debian/rules
# dpkg-source --commit

在debian/rules文件中，向DEB_CONFIGURE_EXTRA_FLAGS添加标志：

--with-default-user=proxy \
--enable-ssl \
--enable-ssl-crtd \
--with-openssl \
--disable-ipv6

...and构建..。

# debuild -us -uc

...and安装..。

# cd ..
# pwd 
/root/squid-build
# mv squid3*.deb squid3.deb.NotIncluded
# dpkg -i *.deb

然而，仍然没有ssl_crtd。

它是否被重命名为security_file_certgen？(https://bugzilla.redhat.com/show_bug.cgi?id=1397644)

更新:编译的squid

为HTTP编译和运行了squid，但是不知道如何处理HTTPS --显然其他人也不知道。这不可能吗？这似乎与证书和squid.conf有关。

Answer 1

别麻烦了，这是在浪费时间：

• 严格地说，这是一个处于攻击中间的人，而且
• 缓存点击量很小(我怀疑浏览器缓存已经做得很好了，比如Google徽标)。