Hi,
I've setup a transparent HTTP+HTTPS proxy on my server running CentOS 7, using Squid. Here's my configuration file.
--8<---------------------------------------------------------------- # /etc/squid/squid.conf
# Définitions
acl localnet src 192.168.2.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT
# Règles d'accès http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access deny all
# Ports du proxy http_port 3130 http_port 3128 intercept https_port 3129 intercept ssl-bump \ cert=/etc/squid/ssl_cert/nestor.microlinux.lan.pem \ generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
# Emplacement de ssl_crtd et du cache des certificats TLS sslcrtd_program /usr/lib64/squid/ssl_crtd -s /var/lib/ssl_db -M 4MB sslcrtd_children 8 startup=1 idle=1
# SSL-Bump acl step1 at_step SslBump1 ssl_bump peek step1 ssl_bump bump all
# Taille du cache dans la RAM cache_mem 2048 MB
# Emplacement et taille du cache sur le disque # cache_dir ufs /var/spool/squid 100 16 256
# Vidage système coredump_dir /var/spool/squid
# Durée de vie des fichiers sans date d'expiration refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|?) 0 0% 0 refresh_pattern . 0 20% 4320 --8<----------------------------------------------------------------
First, I tested the configuration in permissive mode, where it works perfectly. After running it a while, I get the following SELinux alert.
# sealert -a /var/log/audit/audit.log ***** Plugin catchall (17.1 confidence) suggests ***** If you believe that ssl_crtd should be allowed read access on the index.txt file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ssl_crtd' --raw | audit2allow -M my-sslcrtd # semodule -i my-sslcrtd.pp
Unfortunately the suggested solution doesn't work, because the problem reappears, and I get all sorts of errors in /var/log/squid/cache.log, all due to ssl_crtd not being able to access stuff under /var/lib/ssl_db.
Any idea how I can solve this problem permanently ?
Cheers,
Niki