Farem servir la característica ssl-bump del proxy squid amb linux. D’aquesta manera permetrem a un ordinador antic amb navegadors no suportats avui dia poder navegar per la xarxa.
#!/bin/bash
# fork from: https://github.com/codepoet80/squid-sslbump-rpi
if [ $(id -u) -ne 0 ]; then
printf "Script must be run with sudo\n"
exit 1
fi
echo "" && echo "Squid SSL Bump Simplified Install"
echo "---------------------------------"
SQUID_USER=squid
SQUID_DIR=/usr/local/squid
# update and install pre-reqs
echo "" && echo "Installing Pre-Reqs..."
apt-get update
apt-get -qq -y install openssl libssl1.0-dev build-essential wget curl net-tools dnsutils tcpdump
apt-get clean
# fetch, unpack, configure and install squid 3.5.27
echo "" && echo "Building Squid..."
wget http://www.squid-cache.org/Versions/v5/squid-5.1.tar.gz
tar zxvf squid-5.1.tar.gz
cd squid-5.1/
./configure --prefix=$SQUID_DIR --enable-ssl --with-openssl --enable-ssl-crtd --with-large-files --enable-auth --enable-icap-client
make
make install
# prep environment
echo "" && echo "Prepping Environment..."
mkdir -p $SQUID_DIR/var/lib
mkdir -p $SQUID_DIR/ssl
$SQUID_DIR/libexec/ssl_crtd -c -s $SQUID_DIR/var/lib/ssl_db
mkdir -p $SQUID_DIR/var/cache
useradd $SQUID_USER -U -b $SQUID_DIR
chown -R ${SQUID_USER}:${SQUID_USER} $SQUID_DIR
export PATH=$PATH:$SQUID_DIR
echo "" && echo "Generating Certificate..."
openssl req -new -newkey rsa:2048 -sha256 -days 3650 -nodes -x509 -extensions v3_ca -subj "/C=CA/ST=Catalunya/L=Barcelona/O=org/OU=sysadmin/CN=*" -keyout $SQUID_DIR/ssl/squid-ca-key.pem -out $SQUID_DIR/ssl/squid-ca-cert.pem
cat $SQUID_DIR/ssl/squid-ca-cert.pem $SQUID_DIR/ssl/squid-ca-key.pem >$SQUID_DIR/ssl/squid-ca.pem
openssl x509 -in $SQUID_DIR/ssl/squid-ca-cert.pem -outform DER -out $SQUID_DIR/ssl/squid-ca-cert.der
sudo -u $SQUID_USER -s $SQUID_DIR/libexec/security_file_certgen -c -s $SQUID_DIR/var/cache/squid/ssl_db -M 4MB
# set config
echo "" && echo "Updating Squid Config..."
cat >$SQUID_DIR/etc/squid.conf <<EOF
#=== sslbump config===
cache_mem 128 MB
workers 5
http_access allow all
forwarded_for off
cache_effective_user squid
cache_effective_group squid
always_direct allow all
icap_service_failure_limit -1
acl broken_sites ssl::server_name .example.com
ssl_bump splice localhost
ssl_bump splice broken_sites
ssl_bump bump all
sslproxy_cert_error allow all
sslcrtd_program $SQUID_DIR/libexec/security_file_certgen -s $SQUID_DIR/var/cache/squid/ssl_db -M 16MB
sslcrtd_children 3 startup=1 idle=1
http_port 3128 ssl-bump generate-host-certificates=on cert=$SQUID_DIR/ssl/squid-ca.pem dynamic_cert_mem_cache_size=16MB
EOF
cat >$SQUID_DIR/sbin/startsquid.sh <<EOF
#!/bin/bash
SQUID_USER=squid
SQUID_DIR=/usr/local/squid
exec $SQUID_DIR/sbin/squid -f $SQUID_DIR/etc/squid.conf -NYCd 10
EOF
chmod +x $SQUID_DIR/sbin/startsquid.sh
# done
echo ""
echo "Done! If there were no errors, things are ready to go."
echo "Run '$SQUID_DIR/startsquid.sh' elevated to start the proxy server."