With a lot of patience mixed with cursing I managed to build a working Squid 3.4.8 with SSL bump, dynamic certificate generation and "disk" caching for chaos calmer trunk (r43084). It requires libstdcpp, libpthread, libnettle, librt, libnetfilter-conntrack and openssl. the ca-certificates package is also needed to run, though not to build. Easy-RSA is recommended since it makes the creation of your root certificate easy.
BE FOREWARNED - Sniffing HTTPS traffic and re-signing via your own certificate authority can be a dangerous thing. If you don't have a clear understanding of the risks and consequences, please educate yourself on HTTPS and how certificates are used in PKI.
The Good News: Once you import your root certificate into the clients, things just work. The first time you load a particularly big SSL site (especially one that pulls HTTPS content from many different domains) you'll have a delay (2-3 seconds) as the certs are retrieved and generated, but subsequent loads are fast as ever.
The Bad News: The binary is over 5 MB! There has to be a way to trim this down, I just don't know how to do it. Facebook's authentication breaks, so most apps that use your Facebook login will break. Other OpenID-powered sites worked fine for me, so I'm not precisely sure what the issue is. Regardless, that's a squid-dev problem to discuss. Google, Amazon and other federated identity providers worked perfectly throughout my testing.
Here's a tar.gz to drop into the openwrt source build tree. In "make menuconfig" it will appear under Network -> Web Servers/Proxies.
Here's a sample configuration for performing transparent ssl bumping. Assumes the use of easy-rsa to generate the CA cert. Also implements caching to an SD card (/mnt/sdcard).
/etc/squid3/squid.conf:
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# HTTP Stuff
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
# SSL Stuff
acl no_bump dstdomain .pressganey.com
ssl_bump none localhost
ssl_bump none no_bump
ssl_bump server-first all
sslcrtd_program /usr/lib/squid3/ssl_crtd -s /mnt/sdcard/ssl_db -M 4MB
https_port 3129 intercept ssl-bump cert=/etc/easy-rsa/keys/ca.crt key=/etc/easy-rsa/keys/ca.key generate-host-certificates=on
#The following port is required for overflow/outbound negotiation of server-first connections
http_port 3127
#Logging
access_log /mnt/sdcard/cache/access.log
cache_log /mnt/sdcard/cache/cache.log
cache_store_log /mnt/sdcard/cache/store.log
pid_filename /mnt/sdcard/cache/squid.pid
netdb_filename /mnt/sdcard/cache/netdb.state
coredump_dir /mnt/sdcard/cache
#Caching
cache_mem 2 MB
maximum_object_size_in_memory 128 KB
cache_dir ufs /mnt/sdcard/cache 5000 16 256
maximum_object_size 200 MB
cache allow all
You'll also need two rules in /etc/config/firewall to auto-forward HTTP and HTTPS traffic to squid (Change the subnet and router IP to suit):
config redirect
option src 'lan'
option proto 'tcp'
option src_ip '192.168.1.0/24'
option src_dport '80'
option dest_ip '192.168.1.1'
option dest_port '3128'
option target 'DNAT'
config redirect
option src 'lan'
option proto 'tcp'
option src_ip '192.168.1.0/24'
option src_dport '443'
option dest_ip '192.168.1.1'
option dest_port '3129'
option target 'DNAT'
In case Google Drive sharing decides not to work here are the 3 files you need:
package/network/squid3/Makefile:
#
# Copyright (C) 2006-2012 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=squid
PKG_VERSION:=3.4.8
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://www.squid-cache.org/Versions/v3/3.4/
PKG_MD5SUM:=094bd5f974d13485d51d02e93ec6027b
include $(INCLUDE_DIR)/package.mk
define Package/squid3/Default
SECTION:=net
CATEGORY:=Network
SUBMENU:=Web Servers/Proxies
URL:=http://www.squid-cache.org/
endef
define Package/squid3
$(call Package/squid3/Default)
MENU:=1
DEPENDS:=+libpthread +libopenssl +libnettle +librt +libnetfilter-conntrack +libstdcpp
TITLE:=full-featured Web proxy cache
endef
define Package/squid3/description
Squid is a high-performance proxy caching server for web clients,
supporting FTP, gopher, and HTTP data objects. Unlike traditional
caching software, Squid handles all requests in a single,
non-blocking, I/O-driven process.
This implementation is geared specifically toward transparent
proxying and caching of HTTP and HTTPS traffic, including sslbump
and dynamic certificate generation.
endef
define Package/squid3/conffiles
/etc/squid3/cachemgr.conf
/etc/squid3/errorpage.css
/etc/squid3/mime.conf
/etc/squid3/squid.conf
endef
CONFIGURE_ARGS += \
--datadir=/usr/share/squid3 \
--libexecdir=/usr/lib/squid3 \
--sysconfdir=/etc/squid3 \
--enable-shared \
--enable-static \
--enable-x-accelerator-vary \
--with-pthreads \
--with-dl \
--enable-icmp \
--enable-kill-parent-hack \
--enable-arp-acl \
--enable-err-languages=English \
--enable-default-err-language=English \
--enable-linux-netfilter \
--enable-icmp \
--disable-external-acl-helpers \
--disable-auth-negotiate \
--disable-auth-ntlm \
--disable-auth-digest \
--disable-auth-basic \
--disable-wccp \
--disable-wccpv2 \
--disable-snmp \
--disable-htcp \
--enable-underscores \
--enable-cache-digests \
--enable-referer-log \
--enable-delay-pools \
--enable-useragent-log \
--enable-storeio \
--enable-epoll \
--with-maxfd=4096 \
--without-libcap \
--enable-icap-client \
--enable-ssl \
--enable-ssl-crtd
CONFIGURE_VARS += \
ac_cv_header_linux_netfilter_ipv4_h=yes \
ac_cv_epoll_works=yes \
define Build/Compile
# pass INCLUDES to compile host sources against our OpenSSL, not the host one
$(MAKE) -C $(PKG_BUILD_DIR)/lib \
all
$(MAKE) -C $(PKG_BUILD_DIR) \
DESTDIR="$(PKG_INSTALL_DIR)" \
install
endef
define BuildPlugin
define Package/$(1)/install
$(INSTALL_DIR) $$(1)/usr/lib/squid3
$(CP) $(PKG_INSTALL_DIR)/usr/lib/squid3/$(2) $$(1)/usr/lib/squid3/
endef
$$(eval $$(call BuildPackage,$(1)))
endef
define Package/squid3/install
$(INSTALL_DIR) $(1)/etc/squid3
$(CP) $(PKG_INSTALL_DIR)/etc/squid3/* $(1)/etc/squid3/
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/purge $(1)/usr/bin/
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/squidclient $(1)/usr/bin/
$(INSTALL_DIR) $(1)/usr/share/squid3
$(CP) $(PKG_INSTALL_DIR)/usr/share/squid3/* $(1)/usr/share/squid3/
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/squid $(1)/usr/sbin/
$(INSTALL_DIR) $(1)/usr/lib/squid3
$(CP) $(PKG_INSTALL_DIR)/usr/lib/squid3/* $(1)/usr/lib/squid3/
/bin/chmod 4755 $(1)/usr/lib/squid3/pinger
endef
$(eval $(call BuildPackage,squid3))
package/network/squid3/patches/001-cross_compile.patch:
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -7295,7 +7295,7 @@
# cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci
- $(HOSTCXX) -o $@ $(srcdir)/cf_gen.cc -I$(srcdir) -I$(top_builddir)/include/ -I$(top_builddir)/src
+ g++ -o $@ $(srcdir)/cf_gen.cc -I$(srcdir) -I$(top_builddir)/include/ -I$(top_builddir)/src
# squid.conf.default is built by cf_gen when making cf_parser.cci
squid.conf.default squid.conf.documented: cf_parser.cci
package/network/squid3/patches/002-skip-configure-ssl-tests.patch:
--- a/configure
+++ b/configure
@@ -22221,12 +22221,10 @@
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the SSL_get_certificate is buggy" >&5
$as_echo_n "checking whether the SSL_get_certificate is buggy... " >&6; }
if test "$cross_compiling" = yes; then :
- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: cross-compiler, cannot test, assume no" >&5
+$as_echo "$as_me: cross-compiler, cannot test, assume no" >&2;}
else
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+{ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
@@ -22263,17 +22261,17 @@
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
+}
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the workaround for SSL_get_certificate works" >&5
$as_echo_n "checking whether the workaround for SSL_get_certificate works... " >&6; }
if test "$cross_compiling" = yes; then :
- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
-as_fn_error $? "cannot run test program while cross compiling
-See \`config.log' for more details" "$LINENO" 5; }
+ { $as_echo "$as_me:${as_lineno-$LINENO}: cross-compiler, cannot test, assume no" >&5
+$as_echo "$as_me: cross-compiler, cannot test, assume no" >&2;}
else
+{
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
@@ -22313,6 +22311,7 @@
fi
rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
conftest.$ac_objext conftest.beam conftest.$ac_ext
+}
fi