Are you looking to set up a secure, encrypted proxy server on Linux that requires users to log in? An SSL proxy server offers a layer of security by encrypting traffic, ensuring private browsing for users on your network. With additional user authentication, only authorized users can access the proxy, providing both security and control. In this guide, we’ll walk you through the steps to install an SSL proxy server on Linux, set up encryption, generate SSL certificates, and add login-based user authentication.

Why Use an SSL Proxy Server with User Authentication?

An SSL proxy server encrypts traffic between the client and the server, making it safer for users to browse the web by securing data transfer. Adding authentication ensures that only authorized users can access the proxy server, which is essential for businesses, organizations, and home networks that need both security and restricted access.

Step 1: Install Squid (Proxy Software with OpenSSL Support)

To create an SSL proxy server on Linux, we’ll use Squid with OpenSSL support (squid-openssl) and OpenSSL itself for SSL encryption.

Update your package list:

sudo apt update

Install Squid with OpenSSL support:

sudo apt install squid-openssl -y

Install OpenSSL (this might already be installed, but it’s good to check):

sudo apt install openssl -y

Step 2: Generate SSL Certificates for Secure Connections

Your SSL proxy server needs a Certificate Authority (CA) certificate to encrypt traffic. Follow these steps to create a private key and certificate.

Create a directory to store SSL certificates:

sudo mkdir -p /etc/squid/ssl_cert

Generate a private key for the CA:

sudo openssl genrsa -out /etc/squid/ssl_cert/myCA.key 2048

Create the CA certificate:

sudo openssl req -new -x509 -key /etc/squid/ssl_cert/myCA.key -out /etc/squid/ssl_cert/myCA.pem -days 3650

• When prompted, enter details for the certificate. This certificate (myCA.pem) will be used by Squid to secure connections.

Set permissions on the certificate files:

sudo chmod 600 /etc/squid/ssl_cert/myCA.key
sudo chmod 644 /etc/squid/ssl_cert/myCA.pem

Step 3: Set Up User Authentication

To restrict proxy access, we’ll configure user authentication by creating a password file where authorized usernames and passwords are stored.

Install the utility for creating password files:

sudo apt install apache2-utils -y

Create the password file:

sudo touch /etc/squid/passwd
sudo chmod 600 /etc/squid/passwd

Add a user to the password file:

sudo htpasswd -c /etc/squid/passwd username

Replace username with your preferred username. You’ll be prompted to create a password for this user.

Add additional users (optional):

sudo htpasswd /etc/squid/passwd anotheruser

Step 4: Configure Squid as an SSL Proxy Server with Authentication

With SSL encryption and authentication prepared, modify the Squid configuration file to enable these features.

Open the Squid configuration file:

sudo nano /etc/squid/squid.conf

Replace the default configuration with the following:

# Squid Proxy Configuration with SSL Bumping and Authentication

https_port 7788 cert=/etc/squid/ssl_cert/myCA.pem key=/etc/squid/ssl_cert/myCA.key

# Access control list for IP range 192.168.155.0/24
acl allowed_network src 192.168.155.0/24

# Access control list for the specific domain
acl allowed_domain dstdomain .subomain.domain.com

# Authentication settings
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid Proxy Server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# Define an ACL for authenticated users
acl authenticated_users proxy_auth REQUIRED

# Access Control Rules
http_access allow authenticated_users allowed_network
http_access allow authenticated_users allowed_domain

# Allow access to HTTPS (port 443) traffic for authenticated users for all domains
acl SSL_ports port 443
http_access allow authenticated_users SSL_ports

# Deny all other access requests
http_access deny all

# SSL Bumping Configuration for handling HTTPS connections
acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl step3 at_step SslBump3

ssl_bump peek step1
ssl_bump stare step2
ssl_bump bump step3

# Disable caching for specific sites
acl no_cache_sites dstdomain .domain.com
cache deny no_cache_sites

# Hide client information for anonymity
forwarded_for delete

request_header_access X-Forwarded-For deny all
request_header_access Via deny all
request_header_access From deny all
request_header_access Referer deny all
request_header_access Server deny all
request_header_access WWW-Authenticate deny all
request_header_access Link deny all

request_header_access User-Agent allow all
request_header_access Authorization allow all
request_header_access Allow allow all
request_header_access Cache-Control allow all

visible_hostname unknown

cache deny all
logfile_rotate 10
access_log /dev/null
cache_log /dev/null
coredump_dir /var/spool/squid

read_timeout 5 minutes
half_closed_clients off
shutdown_lifetime 1 seconds
dns_nameservers 8.8.8.8 8.8.4.4

Save and exit the configuration file.

Restart Squid to apply changes:

sudo systemctl restart squid

Step 5: Testing Your SSL Proxy Server

1. Configure a client device to use the proxy by setting the IP address of your server and port 7788 in the proxy settings.
2. Verify Authentication: When a user connects to the internet through this proxy, they should be prompted to enter the username and password you set up.
3. Test SSL Encryption: Access an HTTPS website through the proxy. To avoid certificate warnings, you may need to install the myCA.pem certificate on the client device or browser as a trusted authority.

Conclusion

Congratulations! You have successfully set up an SSL proxy server on Linux with secure user authentication. With SSL encryption, your proxy server can inspect secure web traffic while ensuring only authorized users can access it. This setup is ideal for those looking to enhance network security, whether for business, education, or personal use.

Key Points to Remember:

• SSL Encryption secures data transferred through the proxy.
• User Authentication limits proxy access to authorized users.
• Privacy Controls protect the anonymity of users.

This SSL proxy server configuration provides a secure, controlled environment for managing internet traffic, making it a valuable tool for anyone looking to improve network security.