-
Notifications
You must be signed in to change notification settings - Fork 30
/
sslproxy.conf
464 lines (395 loc) · 13.9 KB
/
sslproxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
# Sample configuration for sslproxy v0.9.4
#
# Use the -f command line option to start sslproxy with a config file.
# See sslproxy.conf(5) and sslproxy(1) for documentation.
#
# Note that the ordering of options, rules, and proxyspecs in configuration
# files (and on the command line) is important. For example, rules and
# proxyspecs can only make use of the options defined earlier.
# Use CA cert (and key) to sign forged certs.
# Equivalent to -c command line option.
CACert /etc/sslproxy/ca.crt
# Use CA key (and cert) to sign forged certs.
# Equivalent to -k command line option.
CAKey /etc/sslproxy/ca.key
# Use cert from pemfile when destination requests client certs.
# Equivalent to -a command line option.
#ClientCert /etc/sslproxy/client.crt
# Use key from pemfile when destination requests client certs.
# Equivalent to -b command line option.
#ClientKey /etc/sslproxy/client.key
# Use CA chain from pemfile (intermediate and root CA certs).
# Equivalent to -C command line option.
#CAChain /etc/sslproxy/chain.crt
# Use key from pemfile for leaf certs.
# Equivalent to -K command line option.
# (default: generate)
#LeafKey /etc/sslproxy/leaf.key
# Use URL as CRL distribution point for all forged certs.
# Equivalent to -q command line option.
#LeafCRLURL http://example.com/example.crl
# Use cert+chain+key PEM files from certdir to target all sites matching the
# common names (non-matching: generate if CA).
# Equivalent to -t command line option.
#LeafCertDir /etc/sslproxy/leaf.d
# Use cert+chain+key from PEM file instead of generating leaf keys on the fly.
# Equivalent to -A command line option.
#DefaultLeafCert /etc/sslproxy/leaf.pem
# Write leaf key and only generated certificates to gendir.
# Equivalent to -w command line option.
#WriteGenCertsDir /var/log/sslproxy
# Write leaf key and all certificates to gendir.
# Equivalent to -W command line option.
#WriteAllCertsDir /var/log/sslproxy
# Deny all OCSP requests on all proxyspecs.
# Equivalent to -O command line option.
#DenyOCSP yes
# Passthrough SSL connections if they cannot be split because of client cert
# auth or no matching cert and no CA.
# Equivalent to -P command line option.
# (default: drop)
#Passthrough yes
# Use DH group params from pemfile.
# Equivalent to -g command line option.
# (default: keyfiles or auto)
#DHGroupParams /etc/sslproxy/dh.pem
# Use ECDH named curve.
# Equivalent to -G command line option.
# (default: prime256v1)
#ECDHCurve prime256v1
# Enable/disable SSL/TLS compression on all connections.
# Equivalent to -Z command line option.
#SSLCompression no
# Force SSL/TLS protocol version only.
# Equivalent to -r command line option.
# (default: all)
#ForceSSLProto tls12
# Disable SSL/TLS protocol version.
# Equivalent to -R command line option.
# (default: none)
#DisableSSLProto tls10
# Enable SSL/TLS protocol version.
# Equivalent to -B command line option.
# (default: all)
#EnableSSLProto tls10
# Min SSL/TLS protocol version.
# (default: tls10)
#MinSSLProto tls10
# Max SSL/TLS protocol version.
# (default: tls12 or tls13, depending on the version of SSL library)
#MaxSSLProto tls13
# Use the given OpenSSL ciphers spec.
# Equivalent to -s command line option.
# (default: ALL:-aNULL)
Ciphers ALL:!RC4
# Use the given OpenSSL ciphersuites spec.
# The ciphersuites spec is for TLS 1.3.
# Equivalent to -U command line option.
# (default: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256)
#CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
# Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
# (default: 2048)
LeafKeyRSABits 2048
# OpenSSL engine to activate, either ID or full path to shared library
# Equivalent to -x command line option
#OpenSSLEngine cloudhsm
# Specify default NAT engine to use.
# Equivalent to -e command line option.
#NATEngine pf
# Drop privileges to user.
# Equivalent to -u command line option.
# (default: nobody, if run as root)
User _sslproxy
# Drop privileges to group.
# Equivalent to -m command line option.
# (default: primary group of user)
Group _sslproxy
# chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)).
# Equivalent to -j command line option.
#Chroot /var/run/sslproxy
# Write pid to file.
# Equivalent to -p command line option.
# (default: no pid file)
PidFile /var/log/utmfw/run/sslproxy.pid
# Connect log: log one line summary per connection to logfile.
# Equivalent to -l command line option.
#ConnectLog /var/log/sslproxy/connect.log
# Content log: full data to file or named pipe
# (excludes ContentLogDir/ContentLogPathSpec).
# Equivalent to -L command line option.
#ContentLog /var/log/sslproxy/content.log
# Content log: full data to separate files in dir
# (excludes ContentLog/ContentLogPathSpec).
# Equivalent to -S command line option.
#ContentLogDir /var/log/sslproxy/content
# Content log: full data to sep files with % subst
# (excludes ContentLog/ContentLogDir).
# Equivalent to -F command line option.
#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log
# Look up local process owning each connection for logging.
# Equivalent to -i command line option.
#LogProcInfo yes
# Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec).
# Equivalent to -X command line option.
#PcapLog /var/log/sslproxy/content.pcap
# Pcap log: packets to separate files in dir
# (excludes PcapLog/PcapLogPathSpec).
# Equivalent to -Y command line option.
#PcapLogDir /var/log/sslproxy/pcap
# Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir).
# Equivalent to -y command line option.
#PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap
# Mirror packets to interface.
# Equivalent to -I command line option.
#MirrorIf lo
# Mirror packets to target address (used with MirrorIf).
# Equivalent to -T command line option. Leave commented if the target is
# irrelevant (e.g. mirror to dummy device)
#MirrorTarget 192.0.2.1
# Log master keys to logfile in SSLKEYLOGFILE format.
# Equivalent to -M command line option.
#MasterKeyLog /var/log/sslproxy/masterkeys.log
# Daemon mode: run in background, log error messages to syslog.
# Equivalent to -d command line option.
Daemon yes
# Debug mode: run in foreground, log debug messages on stderr.
# Equivalent to -D command line option.
#Debug yes
# Verbose debug level
#DebugLevel 4
# Close connections after this many seconds of idle time
ConnIdleTimeout 120
# Check for expired connections every this many seconds
ExpiredConnCheckPeriod 10
# Log statistics to syslog
# Equivalent to -J command line option.
LogStats yes
# Log statistics every this many ExpiredConnCheckPeriod periods
StatsPeriod 1
# Remove HTTP header line for Accept-Encoding
RemoveHTTPAcceptEncoding no
# Remove HTTP header line for Referer
RemoveHTTPReferer yes
# Verify peer using default certificates
VerifyPeer yes
# When disabled, never add the SNI to forged certificates, even if the SNI
# provided by the client does not match the server certificate's CN/SAN.
# Helps pass the wrong.host test at https://badssl.com.
AllowWrongHost no
# Require authentication for users to use SSLproxy
UserAuth yes
# Path to user db file
UserDBPath /var/log/utmfw/db/users.db
# Time users out after this many seconds of idle time
UserTimeout 300
# Redirect URL for users to log in to the system
UserAuthURL https://192.168.0.1/userdblogin.php
# Comma separated list of users diverted by all proxyspecs
# Connections from these users are diverted to listening programs.
# Users not listed in DivertUsers or PassUsers are blocked.
# Max of 50 users can be listed.
#DivertUsers utmfw
# Comma separated list of users passed through by all proxyspecs
# Connections from these users are simply passed through to their original destinations,
# not diverted to listening programs.
# Users not listed in DivertUsers or PassUsers are blocked.
# Max of 50 users can be listed.
#PassUsers admin
# Validate proxy spec protocols
ValidateProto yes
# Max HTTP header size in bytes for protocol validation
MaxHTTPHeaderSize 8192
# Set open files limit, use 50-10000
OpenFilesLimit 1024
# Set divert or split mode of operation
# Not equivalent to the command line -n option.
# Applied to the proxyspecs defined after it, and structured proxyspecs can override it.
# Note that if the arg is not yes|no, it is assumed to be a Divert filter rule.
# (default: yes)
#Divert yes
# Passthrough sites
# The PassSite option is a special form of the Pass filter rule
# PassSite rules can be written as Pass filter rules, see filter rule examples
# PassSite rules will be deprecated in favor of filter rules in the future
# site[*] [(clientaddr|user|*) [description desc]]
#PassSite example.com
#PassSite example.com 192.168.0.1
#PassSite example.com soner
#PassSite *.google.com * android
#PassSite .fbcdn.net* soner android
# Load configuration from an include file
# Recursive include files are not allowed. The Include option cannot be used in
# include files.
#Include /etc/sslproxy/filterrules.conf
#Include /etc/sslproxy/proxyspecs.conf
# Define macro to be used in filtering rules. Macro names must start with a $
# sign. The macro name must be followed by words separated with spaces.
# Recursive macro definitions are not allowed.
#Define $macro value1 value2
# One line filtering rules
#(Divert|Split|Pass|Block|Match)
# ([from (
# user (username[*]|$macro|*) [desc (desc[*]|$macro|*)]|
# desc (desc[*]|$macro|*)|
# ip (clientip[*]|$macro|*)|
# *)]
# [to (
# (sni (servername[*]|$macro|*)|
# cn (commonname[*]|$macro|*)|
# host (host[*]|$macro|*)|
# uri (uri[*]|$macro|*)|
# ip (serverip[*]|$macro|*)) [port (serverport[*]|$macro|*)]|
# port (serverport[*]|$macro|*)|
# *)]
# [log ([[!]connect] [[!]master] [[!]cert]
# [[!]content] [[!]pcap] [[!]mirror] [$macro]|[!]*)]
# |*) [# comment]
#
# PassSite example.com is equivalent to the following two Pass rules:
# Pass to sni example.com
# Pass to cn example.com
#
#Divert from ip 192.168.0.1 to sni example.com
#Split from user soner to sni example.com log content
#Pass from user * desc android to sni *.google.com
#Block from user soner desc android to cn .fbcdn.net*
# Structured filtering rules
#FilterRule {
# Action (Divert|Split|Pass|Block|Match)
#
# # From
# User (username[*]|$macro|*) # inline
# Desc (desc[*]|$macro|*) # comments
# SrcIp (clientip[*]|$macro|*) # allowed
#
# # To
# SNI (servername[*]|$macro|*)
# CN (commonname[*]|$macro|*)
# Host (host[*]|$macro|*)
# URI (uri[*]|$macro|*)
# DstIp (serverip[*]|$macro|*)
# DstPort (serverport[*]|$macro|*)
#
# # Multiple Log lines allowed
# Log ([[!]connect] [[!]master] [[!]cert]
# [[!]content] [[!]pcap] [[!]mirror] [$macro]|[!]*)
#
# ReconnectSSL (yes|no)
#
# # Connection options
# DenyOCSP (yes|no)
# Passthrough (yes|no)
# CACert ca.crt
# CAKey ca.key
# ClientCert client.crt
# ClientKey client.key
# CAChain chain.crt
# LeafCRLURL http://example.com/example.crl
# DHGroupParams dh.pem
# ECDHCurve prime256v1
# SSLCompression (yes|no)
# ForceSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
# DisableSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
# EnableSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
# MinSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
# MaxSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
# Ciphers MEDIUM:HIGH
# CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
# RemoveHTTPAcceptEncoding (yes|no)
# RemoveHTTPReferer (yes|no)
# VerifyPeer (yes|no)
# AllowWrongHost (yes|no)
# UserAuth (yes|no)
# UserTimeout 300
# UserAuthURL https://192.168.0.1/userdblogin.php
# ValidateProto (yes|no)
# MaxHTTPHeaderSize 8192
#}
# One line proxy specifications
# type listenaddr+port up:utmport [ua:utmaddr ra:returnaddr]
#ProxySpec https 127.0.0.1 8443 up:8080 [ua:127.0.0.1 ra:127.0.0.1]
ProxySpec http 127.0.0.1 8081 up:8080
ProxySpec https 127.0.0.1 8443 up:8080
ProxySpec pop3 127.0.0.1 8994 up:8110
ProxySpec pop3s 127.0.0.1 8995 up:8110
ProxySpec smtp 127.0.0.1 8464 up:9199
ProxySpec smtps 127.0.0.1 8465 up:9199
ProxySpec autossl 127.0.0.1 8466 up:9199
# split mode
#ProxySpec http 127.0.0.1 8081
# Structured proxy specifications
# The global config is cloned into all proxyspecs first
# Each proxyspec can override its cloned global config
#ProxySpec {
# Proto https
#
# # Listen address
# Addr 127.0.0.1
# # Listen port
# Port 8444
#
# # Set divert or split mode for proxyspec
# #Divert yes
#
# # Divert address defaults to 127.0.0.1, if not specified
# # Equivalent to ua
# DivertAddr 127.0.0.1
# # Equivalent to up
# DivertPort 8080
#
# # Return address defaults to 127.0.0.1, if not specified
# # Equivalent to ra
# ReturnAddr 127.0.0.1
#
# # Specify nat, sni, or target config
# #NatEngine netfilter
# #SNIPort 443
# #TargetAddr 127.0.0.1
# #TargetPort 9443
#
# DenyOCSP yes
# Passthrough no
#
# # Proxyspec specific SSL/TLS config, overrides the cloned global config
# #CACert ca.crt
# #CAKey ca.key
# #ClientCert client.crt
# #ClientKey client.key
# #CAChain chain.crt
# #DHGroupParams dh.pem
# #ECDHCurve prime256v1
# #SSLCompression no
# #ForceSSLProto tls12
# #DisableSSLProto tls10
# #EnableSSLProto tls10
# #MinSSLProto tls10
# #MaxSSLProto tls13
# #Ciphers MEDIUM:HIGH
# #CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
#
# RemoveHTTPAcceptEncoding no
# RemoveHTTPReferer yes
# VerifyPeer yes
#
# UserAuth yes
# UserTimeout 300
# UserAuthURL https://192.168.0.1/userdblogin.php
# # Comma separated list of users diverted by this proxyspec, overrides the cloned global list
# DivertUsers utmfw
# # Comma separated list of users passed through by this proxyspec, overrides the cloned global list
# PassUsers admin
#
# ValidateProto yes
# # Proxyspec specific passsites are appended to the cloned global passsites
# PassSite example2.com
#
# Define $admins soner admin
# Pass from user $admins desc android to cn .fbcdn.net*
# # Structured version of the one line filtering rule above
# FilterRule {
# Action Pass
# User $admins
# Desc android
# CN .fbcdn.net*
# }
#}