Différences

Ci-dessous, les différences entre deux révisions de la page.

--- netadmin:proxy:squid:filtrage_https [2025/11/17 22:01] – yoann
+++ netadmin:proxy:squid:filtrage_https [2025/11/18 20:04] (Version actuelle) – [Exclusion du bumping-SSL] yoann
@@ Ligne 45: / Ligne 45: @@
 </code>
-On peut maintenant créer les différentes versions du certificat racine à déployer sur les clients :
+<note>
+Pour ce cas d'usage, on conserve la clé privée et le certificat dans un même fichier texte (format PEM).
+</note>
+On peut maintenant créer différentes versions du certificat racine qui pourront être déployées sur les clients (excluant la clé privée) :
 <code bash>
 # Format DER (bianire) pour les machines Windows
@@ Ligne 67: / Ligne 72: @@
 grep --invert-match -e '^$' -e '^#'  squid.conf
 </code>
+<file>
+acl SSL_ports port 443
+acl Safe_ports port 80          # http
+acl Safe_ports port 21          # ftp
+acl Safe_ports port 443         # https
+acl Safe_ports port 1025-65535  # unregistered ports
+acl purge method PURGE
+acl CONNECT method CONNECT
+http_access allow manager localhost
+http_access deny manager
+http_access allow purge localhost
+http_access deny purge
+http_access deny !Safe_ports
+http_access deny CONNECT !SSL_ports
+http_access allow localhost
+http_access deny all
+http_port 127.0.0.1:3128 ssl-bump cert=/etc/squid/cert/squid_proxyCA.pem generate-host-certificates=on options=NO_SSLv3,NO_TLSv1,NO_TLSv1_1
+ssl_bump bump all
+coredump_dir /var/spool/squid
+logfile_rotate 0
+refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
+refresh_pattern .       0   20% 4320
+cache_dir ufs /var/spool/squid 200 16 256
+</file>
+Initialiser le repertoire de stockage des certificats SSL gérés par Squid
+<code bash>
+runuser -u proxy -- /usr/lib/squid/security_file_certgen -c -s /var/spool/squid/ssl_db -M 64MB
+</code>
+<note warning>
+Cette étape est nécessaire pour que Squid puisse démarrer sans erreur
+</note>
 <note>
@@ Ligne 95: / Ligne 148: @@
 firewall-cmd --reload
 </code>
+===== Exclusion du bumping-SSL =====
+L'interception TLS peut ne pas s'appliquer systématiquement. On peut définir des ACLs et exclure des domaines du bumping-SSL.
+:TODO:
+sources :
+  * https://support.kaspersky.com/fr/kwts/6.1/193664
+  * https://blog.microlinux.fr/squid-exceptions/
+===== Dépannage =====
+Le service squid ne démarre pas normalement, les logs indiquent :
+<file>
+nov. 17 23:14:09 tethys (squid-1)[1308]: WARNING: BCP 177 violation. Detected non-functional IPv6 loopback.
+nov. 17 23:14:09 tethys squid[1308]: Set Current Directory to /var/spool/squid
+nov. 17 23:14:09 tethys squid[1308]: Starting Squid Cache version 5.7 for x86_64-pc-linux-gnu...
+nov. 17 23:14:09 tethys squid[1308]: Service Name: squid
+nov. 17 23:14:09 tethys squid[1308]: Process ID 1308
+nov. 17 23:14:09 tethys squid[1308]: Process Roles: worker
+nov. 17 23:14:09 tethys squid[1308]: With 1024 file descriptors available
+nov. 17 23:14:09 tethys squid[1308]: Initializing IP Cache...
+nov. 17 23:14:09 tethys squid[1308]: DNS Socket created at 0.0.0.0, FD 9
+nov. 17 23:14:09 tethys squid[1308]: Adding nameserver 192.168.122.1 from /etc/resolv.conf
+nov. 17 23:14:09 tethys squid[1308]: helperOpenServers: Starting 5/32 'ssl_crtd' processes
+nov. 17 23:14:09 tethys squid[1309]: ipcCreate: /usr/lib/squid/ssl_crtd: (2) No such file or directory
+nov. 17 23:14:09 tethys squid[1310]: ipcCreate: /usr/lib/squid/ssl_crtd: (2) No such file or directory
+nov. 17 23:14:09 tethys squid[1308]: Logfile: opening log daemon:/var/log/squid/access.log
+nov. 17 23:14:09 tethys squid[1308]: Logfile Daemon: opening log /var/log/squid/access.log
+nov. 17 23:14:09 tethys squid[1308]: Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
+nov. 17 23:14:09 tethys squid[1308]: Store logging disabled
+nov. 17 23:14:09 tethys squid[1308]: Swap maxSize 0 + 131072 KB, estimated 10082 objects
+nov. 17 23:14:09 tethys squid[1308]: Target number of buckets: 504
+nov. 17 23:14:09 tethys squid[1308]: Using 8192 Store buckets
+nov. 17 23:14:09 tethys squid[1308]: Max Mem  size: 131072 KB
+nov. 17 23:14:09 tethys squid[1308]: Max Swap size: 0 KB
+nov. 17 23:14:09 tethys squid[1308]: Using Least Load store dir selection
+nov. 17 23:14:09 tethys squid[1308]: Set Current Directory to /var/spool/squid
+nov. 17 23:14:10 tethys squid[1311]: ipcCreate: /usr/lib/squid/ssl_crtd: (2) No such file or directory
+nov. 17 23:14:10 tethys squid[1308]: Finished loading MIME types and icons.
+nov. 17 23:14:10 tethys squid[1313]: ipcCreate: /usr/lib/squid/ssl_crtd: (2) No such file or directory
+nov. 17 23:14:10 tethys squid[1312]: ipcCreate: /usr/lib/squid/ssl_crtd: (2) No such file or directory
+nov. 17 23:14:10 tethys squid[1308]: HTCP Disabled.
+nov. 17 23:14:10 tethys squid[1308]: Pinger socket opened on FD 24
+nov. 17 23:14:10 tethys squid[1308]: Squid plugin modules loaded: 0
+nov. 17 23:14:10 tethys squid[1308]: Adaptation support is off.
+nov. 17 23:14:10 tethys squid[1308]: Accepting SSL bumped HTTP Socket connections at conn12 local=0.0.0.0:3128 remote=[::] FD 22 flags=9
+nov. 17 23:14:10 tethys squid[1308]: WARNING: sslcrtd_program #Hlpr1 exited
+nov. 17 23:14:10 tethys squid[1308]: Too few sslcrtd_program processes are running (need 1/32)
+nov. 17 23:14:10 tethys squid[1308]: Closing HTTP(S) port 0.0.0.0:3128
+nov. 17 23:14:10 tethys squid[1308]: storeDirWriteCleanLogs: Starting...
+nov. 17 23:14:10 tethys squid[1308]:   Finished.  Wrote 0 entries.
+nov. 17 23:14:10 tethys squid[1308]:   Took 0.00 seconds (  0.00 entries/sec).
+nov. 17 23:14:10 tethys squid[1308]: FATAL: The sslcrtd_program helpers are crashing too rapidly, need help!
+nov. 17 23:14:10 tethys squid[1308]: Squid Cache (Version 5.7): Terminated abnormally.
+nov. 17 23:14:10 tethys squid[1308]: Closing Pinger socket on FD 24
+nov. 17 23:14:10 tethys squid[1270]: Squid Parent: squid-1 process 1308 exited with status 1
+nov. 17 23:14:10 tethys squid[1270]: Squid Parent: squid-1 process 1308 will not be restarted for 3600 seconds due to repeated, frequent failures
+nov. 17 23:14:10 tethys squid[1270]: Exiting due to repeated, frequent failures
+nov. 17 23:14:10 tethys squid[1270]: Removing PID file (/run/squid.pid)
+nov. 17 23:14:10 tethys systemd[1]: squid.service: Main process exited, code=exited, status=1/FAILURE
+nov. 17 23:14:10 tethys systemd[1]: squid.service: Killing process 1315 (squid) with signal SIGKILL.
+nov. 17 23:14:10 tethys systemd[1]: squid.service: Failed with result 'exit-code'.
+</file>
+Le message ''FATAL: The sslcrtd_program helpers are crashing too rapidly, need help!'' peut apparaitre si le repertoire de stockage des certificats gérés par Squid n'est pas créé. voir section "Configuration SQuid".
 ===== Références =====
@@ Ligne 105: / Ligne 227: @@
   * [[https://notebook.arnodo.fr/documentation/securit%C3%A9/ssl_bumping/ssl_bumping/|A propos du SSL-Bumping ou interception TLS (notebook.arnodo.fr)]]
   * [[https://wiki.squid-cache.org/KnowledgeBase/Debian|Installer Squid sous Debian (squid-cache.org) (en)]]
+  * [[https://unix.stackexchange.com/questions/613359/setting-up-squid-transparent-proxy-with-ssl-bumping-on-debian-10|Configurer squid avec SSL-bumping sous Debian 10 (unix.stackexchange.com) (en)]]

wikinotes

Outils pour utilisateurs

Outils du site

Différences

Outils de la page