# SQUID, redirect and "Your connection is not secure"



## Maxiu (Sep 29, 2017)

I tried do this: http://roberts.bplaced.net/index.ph...oxy-server/squid-transparent-proxy-http-https

So I am successfully generate SSL cert, and added it to FireFox, redirect 443 to 3128, and I Have this error:


```
Your connection is not secure

The owner of www.google.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites

www.google.com uses an invalid security certificate.

The certificate is only valid for 172.217.18.68

Error code: SSL_ERROR_BAD_CERT_DOMAIN
https://www.google.com/search?q=sfsdfsdfsd&ie=utf-8&oe=utf-8&client=firefox-b-ab Unable to communicate securely with peer:
requested domain name does not match the server’s certificate.
HTTP Strict Transport Security: true HTTP Public Key Pinning: true Certificate chain:
```


```
requested domain name does not match the server’s certificate.
```

Its mean if I must do point 4. "instal our DNS"???? ;/

My current SQUID conf:


```
acl localnet src 192.168.0.0/16

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all
https_port 3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/ssl_cert/myca.pem key

#always_direct allow all
ssl_bump server-first all
#sslproxy_cert_error deny all
#sslproxy_flags DONT_VERIFY_PEER

sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

cache_peer localhost parent 20001 0 round-robin
```


Any one know what is need to do for fixed it?
And on this way SQUID will be encrypting packets again???

Thanks, and pls do not tell me about the risk. Everything is working on localhost.


----------



## obsigna (Sep 30, 2017)

You don't need to install your own DNS server.

You need to take some care when creating the proxy-CA certificate and chain, here comes an example session:
`# cd /usr/local/etc/squid`
`# openssl req -new -newkey rsa:2048 -sha256 -days 1095 -nodes -x509 -extensions v3_ca -keyout proxyCA.pem -out proxyCA.pem`

```
Generating a 2048 bit RSA private key
..............................................................+++
.........................................................+++
writing new private key to 'proxyCA.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Hessen]:
Frankfurt []:
Organization Name (eg, company) [Example]:
Organizational Unit Name (eg, section) [Certification Authority]:
Common Name (e.g. server FQDN or YOUR name) []:proxy.local
Email Address []:certs@example.com
```
The point is, that you need to inform a fully qualified domain, which the browser would accept -- I choose here proxy.local. Then in /usr/local/etc/squid/squid.conf you would inform this just created CA chain, which consists of the private key followed by the CA certificate (public key) joined together in one file:

```
...
https_port        127.0.0.1:3128 intercept ssl-bump generate-host-certificates=on cert=/usr/local/etc/squid/proxyCA.pem options=NO_SSLv2
...
```
Because proxyCA.pem contains the private key, you must not use this one for importing the proxy CA certificate into your browser, but instead, you need to extract the public CA certificate in the following manner:
`# openssl x509 -in proxyCA.pem -out proxyCA.crt`

You may freely distribute this public certificate proxyCA.crt and import it by browser specific means in order to make the browsers happily accept the de-/re-encrypted traffic.

However, there is another problem with your setup. Squid needs to check the certificates of the visited sites, and for this reason you need to inform the CA bundle of publicly known certification authorities. I suggest to install security/ca_root_nss. This port would place a symbolic link of up-to-date CA certificates into /etc/ssl/cert.pem. You would inform this in /usr/local/etc/squid/squid.conf:

```
...
sslproxy_options        NO_SSLv2
sslproxy_cipher         HIGH:!aNULL:!AES128:!SSLv2:!SSLv3
sslproxy_cafile         /etc/ssl/cert.pem
...
```
Finally, Squid 3.5 introduced the concept of SSL peeking -- http://marek.helion.pl/install/squid.html

In order to activate this, I suggest, that you add the following to /usr/local/etc/squid/squid.conf:

```
...
acl step1       at_step SslBump1
ssl_bump        peek step1
ssl_bump        bump port_443
...
```


----------



## Maxiu (Jun 1, 2018)

Secure Connection faild...


```
cache deny all
http_access allow all
http_port 3127 intercept
27.0.0.1:3128 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/etc/squid/proxyCA.pem key=/usr/local/etc/squid/proxyCA.pem

ssl_bump server-first all
#sslcrtd_program /usr/lib/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB
#sslcrtd_children 8 startup=1 idle=1


sslproxy_options        NO_SSLv2
sslproxy_cipher         HIGH:!aNULL:!AES128:!SSLv2:!SSLv3
sslproxy_cafile         /etc/ssl/cert.pem

#ssl_bump peek all
#ssl_bump splice all
#ssl_bump bump all

server_persistent_connections off
cache_peer localhost parent 20001 0 round-robin
#cache_peer localhost_2 parent 20002 0 round-robin no-query
#cache_peer localhost_3 parent 20003 0 round-robin
#cache_peer localhost_4 parent 20004 0 round-robin no-query
#cache_peer localhost_5 parent 20005 0 round-robin
#cache_peer localhost_6 parent 20006 0 round-robin
#cache_peer localhost_7 parent 20007 0 round-robin
#cache_peer localhost_8 parent 20008 0 round-robin
never_direct allow all
```


----------

