setting up apache2 (or squid) to serve as an SSL/TLS proxy for older systems?

[Wowfunhappy@gmail.com]

I'm many months late, but I happened to come across this thread while going through the archives. I have in fact been using Squid to work around https issues on an older system, in my case OS X 10.9. 

Squid's documentation is difficult to decipher, so it took me a solid day to get everything set up! But, my working configuration file is as follows:

http_port 3128 ssl-bump generate-host-certificates=on cert=/Library/Squid/Certificates/squid.pem key=/Library/Squid/Certificates/squid-key.pem

tls_outgoing_options cafile=/Library/Squid/Certificates/cacert.pem
sslcrtd_program /Library/Squid/security_file_certgen

acl excluded_domains ssl::server_name .pypi.org .pythonhosted.org
acl apple_domains ssl::server_name_regex ess\.apple\.com$  ^sw.*\.apple\.com$
acl local_addresses ssl::server_name_regex ^192\.[0-9]+\.[0-9]+\.[0-9]+$ ^10\.[0-9]+\.[0-9]+\.[0-9]+$ ^172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+$
acl loopback_addresses ssl::server_name_regex ^127\.[0-9]+\.[0-9]+\.[0-9]+$ ^::1$
acl excluded any-of excluded_domains apple_domains local_addresses loopback_addresses
ssl_bump splice excluded
ssl_bump bump all

acl fetched_certificate transaction_initiator certificate-fetching
cache allow fetched_certificate 
http_access allow fetched_certificate
sslproxy_cert_error deny all

http_access allow localhost
http_access deny to_localhost
http_access deny all

This config file assumes there's a root cert in /Library/Squid/Certificates/squid.pem and a key in /Library/Squid/Certificates/squid-key.pem. The excluded domains can be adjusted if desired; `apple_domains` fixes issues with some built-in Apple services that appear to use certificate pinning (iMessage, App Store), and `local_addresses` fixed some issues with docker-machine. You can also exclude specific domains from the proxy within OS X's System Preferences.

If your old system happens to be one of 10.6–10.9, and you're interested like to run Squid on the Mac itself as opposed to on an external router, I put together a little automagic installer here. The readme contains some additional instructions on adding a certificate to Keychain Access that may be useful even if you're going the different-device route. https://jonathanalland.com/downloads/wowfunhappy-https-proxy.dmg

I would recommend that basically anyone on an old system consider setting up something like this! It fixes a lot of stuff!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-users/attachments/20201214/4594c56d/attachment.htm>