FINALIZANDO CONFIGURACION DE SQUID
GENERANDO LOS CERTIFICADOS SSL
# Generando Cache del certificado - creo un script
[root@fircentos6 squid]# vim ssl_crtd.sh
SQUIDSSLCRTDDIR=/usr/lib/squid/ssl_db/
SSLCRTD=/usr/lib/squid/ssl_crtd
$SSLCRTD -c -s $SQUIDSSLCRTDDIR
[ -d $SQUIDSSLCRTDDIR ] && chown squid.squid -R $SQUIDSSLCRTDDIR
[root@fircentos6 squid]# sh ssl_crtd.sh
Initialization SSL db...
Done
# Cambiamos el propietario del certificado cache (solo si es necesario)
[root@fircentos6 squid]# chown squid: /var/lib/squid/ssl_db
# Generamos la Private Key y creamos el certificado (tomado de Internet)
[root@fircentos6 squid]# openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout miempresaCA.pem -out miempresaCA.pem
Generating a 2048 bit RSA private key
writing new private key to 'miempresaCA.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:PE
State or Province Name (full name) []:Lima
Locality Name (eg, city) [Default City]:Miraflores
Organization Name (eg, company) [Default Company Ltd]:MIEMPRESA
Organizational Unit Name (eg, section) []:SISTEMAS
Common Name (eg, your name or your server's hostname) []:fircentos6.miempresa.com
Email Address []:soporte@miempresa.com
# Generamos el certificado para nuestras PCs.
[root@fircentos6 squid]# openssl x509 -in miempresaCA.pem -outform DER -out miempresaCA.der
# Ingresamos a squid.conf
[root@fircentos6 squid] vim /etc/squid/squid.conf
#################################################################################
#WELCOME TO SQUID
# ----------------------------
acl snmppublic snmp_community public
#acl redlocal src 10.10.10.0/24
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 1935 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
#
acl CONNECT method CONNECT
##### ACCESO A RED LOCAL
acl redlocal src 11.11.11.0/24
####### ACCESO A SITES x IP RETENCION ###############
acl ipretencion src "/etc/squid/ippagretencion.txt"
acl sitiosretencion url_regex "/etc/squid/sitiospagretencion.txt"
####### ACCESO A SITES MICROSOFT x IP ###############
acl ipupdatemicrosoft src "/etc/squid/ipupdatems.txt"
acl sitiosupdatems url_regex "/etc/squid/sitiosupdatems.txt"
####### ACCESO SOLO A FACEBOOK ###############
acl ipfacebook src "/etc/squid/ipfacebook.txt"
acl sitiosfacebook url_regex "/etc/squid/sitiosfacebook.txt"
####### ACCESO A PAGINAS AMPLIADAS ###############
acl ipampliados src "/etc/squid/ipampliados.txt"
acl sitiosampliados url_regex "/etc/squid/sitiosampliados.txt"
####### ACCESO SOLO A INTRANET ##############
acl ipintranet src "/etc/squid/ipintranet.txt"
acl sitiosintranet url_regex "/etc/squid/sitiosintranet.txt"
################ ACCESO FULL A INTERNET #############
acl fullacceso src "/etc/squid/ipfullacceso.txt"
######### LISTA DE EXTENSIONES #############################
acl listadeextensiones urlpath_regex "/etc/squid/listadeextensiones.txt"
############### SITIOS BLOQUEADOS PARA TODOS #########################
acl sitiosbloqueados url_regex "/etc/squid/sitiosbloqueados.txt"
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
#########################################
http_access allow fullacceso
http_access allow ipretencion sitiosretencion
http_access allow ipfacebook sitiosfacebook
http_access allow ipampliados sitiosampliados
########### PARA ACTUALIZAR MICROSOFT ################
http_access allow ipupdatemicrosoft sitiosupdatems
http_access allow ipintranet sitiosintranet
http_access deny ipintranet
http_access deny listadeextensiones
http_access deny sitiosbloqueados
http_access allow redlocal
http_access deny all
# Squid normally listens to port 3128
http_port 3128 transparent
https_port 3129 transparent ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/miempresaCA.pem
always_direct allow all
ssl_bump server-first all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslcrtd_program /usr/lib/squid/ssl_crtd -s /usr/lib/squid/ssl_db -M 4MB
sslcrtd_children 5
# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?
# ==============================================
cache_mem 256 MB
cache_dir ufs /var/spool/squid 300 16 256
maximum_object_size 4096 KB
cache_swap_low 90
cache_swap_high 100
cache_access_log /var/log/squid/access.log squid
logfile_rotate 5
coredump_dir /var/spool/squid
url_rewrite_children 10
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#================================================
cache_mgr sistemas@miempresa.com
cache_effective_user squid
cache_effective_group squid
error_directory /usr/share/squid/errors/es-pe
visible_hostname fircentos6.miempresa.com
dns_nameservers 8.8.8.8 200.48.225.130
#####################################################
#Verificar
[root@fircentos6 squid] tail -f /var/log/squid/access.log
# Instalamos el certificado a cada PC o por politica AD (solo para IE y Chrome - miempresaCA.der)
Herramientas/Opciones de Internet/contenido/Certificados/Entidades de Certificacion raiz de confianza/Importar/Buscamos miempresa.der/Damos ok a todo
Algunas paginas o conexiones VPN que usan certificados por el puerto 443 pueden no autenticar, por lo general funciona en todo.