How to make Squid 3.3.5 as Transparent Proxy Https / Ssl in Centos 6.4

The experiment continues to make transparent proxy https / ssl. Same as previous post. Look at "How to make Squid 3.1.23 as Tproxy (Transparent Proxy) in Centos 6.4". Do the step 1 and 2, ie install shorewall and install dhcp server. Then continue with the next steps.

Install openssl

yum install openssl openssl-devel

cd /etc/squid/

openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myconfigure.pem -out myconfigure.pem

Then you will be asked to enter information for your certificate request. Just enter, enter and enter to leave blank.

Country Name (2 letter code) [XX]:

State or Province Name (full name) []:

Locality Name (eg, city) [Default City]:

Organization Name (eg, company) [Default Company Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, your name or your server's hostname) []:

Email Address []:

#

Install Squid

In this experiment, for making transparent proxy, I use squid version 3.3.5. Configure the squid 3.3.5, make sure option --enable-icap-client   --enable-ssl , is exist.

cd /usr/local/squid-3.3.5

./configure --prefix=/usr --exec-prefix=/usr --bindir=/usr/sbin --sbindir=/usr/sbin --sysconfdir=/etc/squid --datadir=/usr/share/squid --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/lib/squid --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --x-includes=/usr/include --x-libraries=/usr/lib --enable-shared=yes --enable-static=no --enable-carp --enable-storeio=aufs,ufs --enable-removal-policies=heap,lru --disable-icmp --disable-delay-pools --disable-esi --enable-icap-client --enable-useragent-log --enable-referer-log --disable-wccp --enable-wccpv2 --disable-kill-parent-hack --enable-snmp --enable-cachemgr-hostname=localhost --enable-arp-acl --disable-htcp --disable-forw-via-db --enable-follow-x-forwarded-for --enable-cache-digests --disable-poll --enable-epoll --enable-linux-netfilter --disable-ident-lookups --enable-default-hostsfile=/etc/hosts --with-default-user=squid --with-large-files --enable-mit=/usr --with-logdir=/var/log/squid --enable-http-violations --enable-zph-qos --with-filedescriptors=65536 --enable-gnuregex --enable-async-io=64 --with-aufs-threads=64 --with-pthreads --with-aio --enable-default-err-languages=English --enable-err-languages=English --disable-hostname-checks --enable-underscores --enable-ssl ; make; make install

useradd squid

touch /etc/squid/noway

cd /etc/squid/

mkdir swap

chown squid:squid /etc/squid/swap

mkdir /cache

chown squid:squid /cache

chown -Rf squid:squid /var/log/squid/

cd /etc/squid/

mv squid.conf squid.conf.old

vim squid.conf

For squid configuration, take it from http://myconfigure.blogspot.com/2013/03/squid-332-328-example-squidconf.html. Then look again at squid.conf, some variable must be change. Make sure some variable below is exist.

acl bamboe src 192.168.10.0/24

http_port 3128

http_port 3127 intercept

https_port 3129 intercept ssl-bump cert=/etc/squid/myconfigure.pem key=/etc/squid/myconfigure.pem

ssl_bump allow all

always_direct allow all

##update##updaate##update##
If you get error like below,
SECURITY NOTICE: auto-converting deprecated "ssl_bump allow <acl>" to "ssl_bump client-first <acl>" which is usually inferior to the newer server-first bumping mode. Update your ssl_bump rules. 
Fix it with changing
ssl_bump allow all
To
ssl_bump client-first all

For startup squid, you can take it http://myconfigure.blogspot.com/2012/03/missing-file-startup-squid.html.

vim /etc/init.d/squid

chmod 755 /etc/init.d/squid

chkconfig --add  squid

chkconfig  --level 235 squid on

squid -z

/etc/init.d/squid start

Reconfigure shorewall.

Remember, I assume, you have installed shorewall, as I asked from the beginning ( step 1, at "How to make Squid 3.1.23 as Tproxy (Transparent Proxy) in Centos 6.4" ). And then we just need to reconfigure the shorewall, like below.
rules

REDIRECT        loc     3127    tcp     www     -

REDIRECT        loc     3129    tcp     443     -

Because, my squid version is 3.3.x, and then I just want to make Transparent Proxy, not Tproxy, so, in shorewall configuration folder, remove the content of file, providers and tcrules. Make sure both file  is empty contents.  
Done. After restart, from user computer, try to browse any site https (email yahoo, email google, or facebook). For example, browse to https://mail.google.com, or https://www.facebook.com. If you can connect to the site https,  and then you will get notification about security, like picture above, that’s mean squid has successful configured with option ssl_bump as transparent proxy ssl. Traffic headed to port 443 / https, currently must go through squid proxy to get to the destination.You can view users who active access to internet through proxy, with command.

tail –f /var/log/squid/access.log

1369742866.442    710 192.168.10.200 TCP_MISS/200 503 GET https://mail.google.com/mail/channel/test? - HIER_DIRECT/173.194.38.182 text/plain

1369742866.468    772 192.168.10.200 TCP_MISS/200 3890 POST https://mail.google.com/mail/? - HIER_DIRECT/173.194.38.182 text/javascript

1369742867.154    619 192.168.10.200 TCP_MISS/200 1737 POST https://mail.google.com/mail/? - HIER_DIRECT/173.194.38.182 text/javascript

1369742867.838    652 192.168.10.200 TCP_MISS/200 1441 POST https://mail.google.com/mail/? - HIER_DIRECT/173.194.38.182 text/javascript

1369742868.695    820 192.168.10.200 TCP_MISS/200 6918 POST https://mail.google.com/mail/? - HIER_DIRECT/173.194.38.182 text/javascript

Noted.

For Squid versions 3.1 and 3.2, both of them can be used, should be no problem. I was just starting to experiment with making transparent https / ssl. Probably much less configuration and less security. Please info, if there is a better option.

Reference

http://wiki.squid-cache.org/Features/DynamicSslCert. I edit some variables according my experiments.