juanesech
6/15/2018 - 3:50 PM

Squid https Proxy

Configuratio file for squid https forwarding proxy

/etc/squid/squid.conf

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# waiss
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin \? asp aspx jsp

## Prevent caching jsp, cgi-bin etc
cache deny QUERY

## Only allow access to the defined safe ports whitelist
http_access deny !Safe_ports

## Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

## Only allow cachemgr access from localhost
http_access allow all
#http_access deny manager

## Squid normally listens to port 3128
http_port 3128

## How much RAM, in MB, to use for cache? Default since squid 3.1 is 256 MB
cache_mem 64 MB

## Maximum size of individual objects to store in cache
maximum_object_size 1 MB

## Amount of data to buffer from server to client 
read_ahead_gap 64 KB

#forwarded_for on 
forwarded_for delete 

## Suppress sending squid version information
httpd_suppress_version_string on

## How long to wait when shutting down squid
shutdown_lifetime 30 seconds

## Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320

## Use the below to avoid proxy-chaining
always_direct allow all

## Always complete the server-side handshake before client-side (recommended)
ssl_bump bump all

## Allow server side certificate errors such as untrusted certificates, otherwise the connection is closed for such errors
sslproxy_cert_error allow all

## Accept certificates that fail verification (should only be needed if using 'sslproxy_cert_error allow all')
sslproxy_flags DONT_VERIFY_PEER

## Disable SSLv2 because it isn't safe
http_port 3128 intercept ssl-bump cert=/usr/local/squid/ssl_cert/squid.crt key=/usr/local/squid/ssl_cert/squid.key options=NO_SSLv2