How-to: Setup a secure web proxy using SSL encryption, Squid Caching Proxy and PAM authentication

I’ve had quite a few folks ask me what’s required to setup PAM with squid and stunnel for secure remote proxy usage, so I’ve drafted this quick guide.

This doc shows the steps needed to setup secure and nearly seamless web browsing (with stunnel, squid and PAM) from potentially untrusted networks such as airports, coffee shops and other hostile environments.

The document assumes a CentOS 4 system as the OS for the actual proxy server, and does not make any assumptions about the client operating system. It also assumes you are able to download and install any of the software mentioned. This is a working document and steps for additional configurations and operating systems will be added as time goes on.

Prerequisites:

Server:

Client:

Optional but recommended:

Server setup:

1. Configure the firewall

Ensure /etc/sysconfig/iptables contains a line to allow traffic in to the stunnel service which we will setup later.

/etc/sysconfig/iptables:

-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT

2. Configure Squid for use with PAM

These are the settings that will differ from the default. It’s best to search through the file and modify as needed.

/etc/squid/squid.conf:

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 4 hours
acl password proxy_auth REQUIRED
http_access allow password

3. Configure PAM for use with Squid

/etc/pam.d/squid:

auth required /lib/security/pam_unix.so
account required /lib/security/pam_unix.so
This configuration will allow you to authenticate to the proxy with a local account.

4. Configure stunnel for use with Squid

Create the stunnel private key (.pem) and put it in /etc/stunnel. The following FAQ will walk you through this: http://www.stunnel.org/faq/certs.html#ToC5
If you don’t want to read the FAQ, simply do the following:

# openssl genrsa -out privkey.pem 2048
# openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
# cat privkey.pem cacert.pem >> /etc/stunnel/stunnel.pem

Set the proper permissions on the resulting private key:

# chmod 0400 /etc/stunnel/stunnel.pem

Set the proper ownership of the stunnel chroot dir

# chown nobody.nobody /var/run/stunnel

Edit the stunnel configuration.

/etc/stunnel/stunnel.conf:

cert = /etc/stunnel/stunnel.pem
chroot = /var/run/stunnel/
pid = /stunnel.pid
setuid = nobody
setgid = nobody

[squid]
# Ensure the ‘connect’ line matches your squid port. Default is 3128
accept = 8080
connect = 127.0.0.1:3128

Client Setup:

1. Configure stunnel

The configuration and installation for stunnel on most operating systems is pretty trivial. Download the appropriate version for your operating system here: stunnel download

Ensure the following is in the stunnel.conf file:

client = yes

[proxy]
accept = 127.0.0.1:8080
# Replace SERVER with the address of the server setup previously
connect = SERVER:8080

2. Configure web browser

Point your web browser proxy configuration to the local stunnel port as previously configured. This should be 127.0.0.1, port 8080.

Final steps:

Now that we’re all setup on both the client and server…

Server:

Restart the firewall

# service iptables restart

Start stunnel

# stunnel

Start squid

# service squid start

Client:

Start stunnel
This will vary based on your operating system.

Test your browsing!

Open the web browser and see what IP you’re coming from with a service similar to http://www.whatismyip.com/

If the IP address shown is that of your server, congrats. Everything works. You may now enjoy web browsing on a hostile network with less risk of sniffing.

Basic stunnel/squid Troubleshooting Based on Web Browser Results

Immediate Blank page – The client’s stunnel is speaking with the server’s stunnel, but the server’s stunnel cannot speak to the server’s squid. Ensure the ports are correctly set within the squid.conf file.

Delayed timeout – The client’s stunnel is unable to speak to the server’s stunnel. Ensure stunnel is running on the remote server and that it is reachable from your client machine.

Connection refused - The web browser is unable to speak to the client’s stunnel. Ensure stunnel is running on the client and has the proper ports configured in both the web server and the stunnel.conf.

The permanent link and title for this page is how to setup a secure web proxy using ssl encryption squid caching proxy and pam authentication