Non-transparent SSL Bumping#1332
Conversation
Copied ssl-bump parameters from https-intercept listeners to usual http listener
Removed help strings that noticed transparent mode requirement for SSL bumping.
|
@mmorev isn't the outcome of this the same as sslbumpport to port 3128? |
|
@AdSchellevis sslbumpport is used within intercept-mode https listener on loopback interface. User cannot connect to this listener directly if not redirected by firewall. Moreover, not all web browsers support different proxy servers for HTTP and HTTPS sites (like Firefox does), so using port 3128 for both http and ssl is the best way of handling user traffic. |
|
@mmorev your problem is with the listener, I see. I'm not sure what the downside is with enabling this by default, if there is non, I'm fine with it enabling sslbump on the default listener as well. |
|
but please don't remove the redirect rule and the associated feature. it looks like changing a feature into something else, not an addition. |
|
@AdSchellevis okay, I just did'nt pay attention to that macro, sorry. Will review this evening. My python isn't so good as my english :). |
|
@AdSchellevis btw a part of code that I have modified should use this macro to create IPv4 and IPv6 listeners by design, isn't it? Currently it creates IPv4 listener only. |
|
@mmorev it should indeed create both listeners, but if I'm reading it correctly, it doesn't appear to be doing so with our standard rules at the moment. So sticking to what's already there is fine, adding IPv6 (for both) is also good. |
Slightly extended sslbump_httpsconfig macro to make usable in regular listener strings; renamed macro to listener_config.
|
@AdSchellevis i have made some changes, please, review |
AdSchellevis
left a comment
AdSchellevis
left a comment
There was a problem hiding this comment.
@mmorev changes look good, only two small comments. I like what you've done with the macro here.
Thanks!
| <br/><br/> | ||
| Transparent HTTP proxy needs to be enabled and you need nat rules to reflect your traffic | ||
| for this feature to work.<br/> | ||
| <a href="/firewall_nat_edit.php?template=transparent_proxy&https=1"> Add a new firewall rule </a> |
There was a problem hiding this comment.
can we leave some comment in there about adding firewall rules? Most people use this in transparant mode.
There was a problem hiding this comment.
This link was duplicated from proxy.forward.transparentMode field comment, where it's really necessary. Looks like someone considered these two options dependent, but they aren't.
There was a problem hiding this comment.
You're right, sorry about the noise here.
There was a problem hiding this comment.
so what happens to our transparent_proxy https rule template? it's now unused.
There was a problem hiding this comment.
@fichtner look above in file, it's used on line 221
There was a problem hiding this comment.
@fichtner I see it is nontrivial to create such link for adding two rules simultaneously. I'll think if we can create rules another way.
There was a problem hiding this comment.
@mmorev we have pluggable rules now, they could be used instead. though I liked the simplicity of the approach: rule for http transparent use, another one for https transparent use as it gives the flexibility to do the one or the other or both. plus the user could change the rule, set it for a specific range of sources or destinations. If we use a checkbox from the proxy, this flexibility will go away.
There was a problem hiding this comment.
I don't think there is a way around adding it back until we have a better solution
There was a problem hiding this comment.
I agree, I will add it back.
| {% set listener_type = 'http_port' %} | ||
| {% endif %} | ||
| {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} | ||
| {% set sslparams = 'ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on' %} |
There was a problem hiding this comment.
you may need to set sslparams to an empty string it not in sslbump mode, I haven't test this, but I'm not sure either it will like an uninitialised string.
There was a problem hiding this comment.
Fixed that. Actually, template engine treats undefined variable as an empty string when printed (http://jinja.pocoo.org/docs/dev/templates/#variables), so it wasn't necessary
|
@AdSchellevis, @fichtner Thank you! Hope I'll find some time to make more improvements ) |
|
when "Enable Transparent HTTP proxy" is on and "Enable SSL inspection" is off squid does not start anymore: |
|
@mmorev many thanks, tested and committed 👍 |
|
@fichtner Glad to help) I like your work and product very much) |
|
thanks and likewise we love contributions. please do keep them coming! :) |
3 participants
In some circumstances transparent proxying is not applicable, but SSL traffic filtering is still needed. This small patch allows use SSL bumping in non-transparent mode through standard 3128 port.