2018-09-14 23:51:26 +00:00
. \"-
2017-08-24 20:27:50 +00:00
. \" SSLproxy - transparent SSL/TLS proxy for diverting packets to programs
2018-09-14 23:51:26 +00:00
. \" https://github.com/sonertari/SSLproxy
. \"
2018-11-03 15:23:31 +00:00
. \" Copyright (c) 2009-2018, Daniel Roethlisberger <daniel@roe.ch>.
2019-03-06 19:43:43 +00:00
. \" Copyright (c) 2017-2019, Soner Tari <sonertari@gmail.com>.
2017-08-24 20:27:50 +00:00
. \" All rights reserved.
. \"
. \" Redistribution and use in source and binary forms, with or without
2018-09-14 23:51:26 +00:00
. \" modification, are permitted provided that the following conditions are met:
. \" 1. Redistributions of source code must retain the above copyright notice,
. \" this list of conditions and the following disclaimer.
. \" 2. Redistributions in binary form must reproduce the above copyright notice,
. \" this list of conditions and the following disclaimer in the documentation
. \" and/or other materials provided with the distribution.
2017-08-24 20:27:50 +00:00
. \"
2018-09-14 23:51:26 +00:00
. \" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
. \" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
. \" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
. \" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
. \" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
. \" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
. \" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
. \" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
. \" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
. \" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
. \" POSSIBILITY OF SUCH DAMAGE.
2018-11-03 15:23:31 +00:00
. \"
2019-03-27 12:22:50 +00:00
.TH "sslproxy.conf" "5" "27 Mar 2019" "v0.6.0" "SSLproxy"
2017-08-24 13:16:45 +00:00
.SH "NAME"
.LP
\fB sslproxy.conf\fR \- Configuration file for SSLproxy
.SH "DESCRIPTION"
.LP
The file sslproxy.conf configures SSLproxy, sslproxy(1).
.SH "FILE FORMAT"
2018-11-03 15:23:31 +00:00
The file consists of comments and options with arguments. Each line which
starts with a hash (\fB #\fR ) symbol is ignored by the parser. Options and
arguments are of the form \fB Option Argument\fR . The arguments are of the
following types:
2017-08-24 13:16:45 +00:00
.TP
\fB BOOL\fR
Boolean value (yes/no).
.TP
\fB STRING\fR
String.
.TP
\fB NUMBER\fR
Unsigned integer.
.SH "DIRECTIVES"
.LP
2018-11-03 15:23:31 +00:00
When an option is not used (hashed or doesn't exist in the configuration file)
sslproxy takes a default action. If an option does not have a command line
equivalent, -o opt=val option can be used to override it on the command line.
2017-08-24 13:16:45 +00:00
.TP
\fB CACert STRING\fR
2018-11-03 15:23:31 +00:00
Use CA cert (and key) to sign forged certs. Equivalent to -c command line option.
2017-08-24 13:16:45 +00:00
.TP
\fB CAKey STRING\fR
2018-11-03 15:23:31 +00:00
Use CA key (and cert) to sign forged certs. Equivalent to -k command line option.
2018-08-04 12:20:50 +00:00
.TP
\fB ClientCert STRING\fR
2018-11-03 15:23:31 +00:00
Use cert from pemfile when destination requests client certs. Equivalent to -a command line option.
2018-08-04 12:20:50 +00:00
.TP
\fB ClientKey STRING\fR
2018-11-03 15:23:31 +00:00
Use key from pemfile when destination requests client certs. Equivalent to -b command line option.
2017-08-24 13:16:45 +00:00
.TP
2018-05-09 17:05:29 +00:00
\fB CAChain STRING\fR
2018-11-03 15:23:31 +00:00
Use CA chain from pemfile (intermediate and root CA certs). Equivalent to -C command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB LeafCerts STRING\fR
2018-11-03 15:23:31 +00:00
Use key from pemfile for leaf certs. Equivalent to -K command line option.
2018-05-09 17:05:29 +00:00
.br
Default: generate
.TP
\fB CRL STRING\fR
2018-11-03 15:23:31 +00:00
Use URL as CRL distribution point for all forged certs. Equivalent to -q command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB TargetCertDir STRING\fR
2018-11-03 15:23:31 +00:00
Use cert+chain+key PEM files from certdir to target all sites matching the common names (non-matching: generate if CA). Equivalent to -t command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB WriteGenCertsDir STRING\fR
2018-11-03 15:23:31 +00:00
Write leaf key and only generated certificates to gendir. Equivalent to -w command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB WriteAllCertsDir STRING\fR
2018-11-03 15:23:31 +00:00
Write leaf key and all certificates to gendir. Equivalent to -W command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB DenyOCSP BOOL\fR
2018-11-03 15:23:31 +00:00
Deny all OCSP requests on all proxyspecs. Equivalent to -O command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB Passthrough BOOL\fR
2019-04-19 13:22:37 +00:00
Passthrough SSL connections if they cannot be split because of client cert
2019-05-02 16:06:48 +00:00
auth or no matching cert and no CA. Equivalent to -P command line option.
2018-05-09 17:05:29 +00:00
.br
Default: drop
.TP
2019-04-18 22:16:05 +00:00
\fB PassSite STRING\fR
2019-04-20 22:00:46 +00:00
Passthrough site: site [(clientaddr|(user|*) [description keyword])]. If the
site matches SNI or common names in the SSL certificate, the connection is
passed through the proxy. Per site filters can be defined using client IP
addresses, users, and description keywords. '*' matches all users. User auth
should be enabled for user and description keyword filtering to work.
Case is ignored while matching description keywords. Multiple sites are
2019-05-02 16:06:48 +00:00
allowed, one on each line.
2019-04-18 22:16:05 +00:00
.TP
2018-05-09 17:05:29 +00:00
\fB DHGroupParams STRING\fR
2018-11-03 15:23:31 +00:00
Use DH group params from pemfile. Equivalent to -g command line option.
2018-05-09 17:05:29 +00:00
.br
Default: keyfiles or auto
.TP
\fB ECDHCurve STRING\fR
2018-11-03 15:23:31 +00:00
Use ECDH named curve. Equivalent to -G command line option.
2018-05-09 17:05:29 +00:00
.br
Default: prime256v1
.TP
\fB SSLCompression BOOL\fR
2018-11-03 15:23:31 +00:00
Enable/disable SSL/TLS compression on all connections. Equivalent to -Z command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB ForceSSLProto STRING\fR
2018-11-03 15:23:31 +00:00
Force SSL/TLS protocol version only. Equivalent to -r command line option.
2018-05-09 17:05:29 +00:00
.br
Default: all
.TP
\fB DisableSSLProto STRING\fR
2018-11-03 15:23:31 +00:00
Disable SSL/TLS protocol version. Equivalent to -R command line option.
2018-05-09 17:05:29 +00:00
.br
Default: none
.TP
\fB Ciphers STRING\fR
2018-11-03 15:23:31 +00:00
Use the given OpenSSL cipher suite spec. Equivalent to -s command line option.
2018-05-09 17:05:29 +00:00
.br
Default: ALL:-aNULL
2019-03-27 00:07:36 +00:00
.TP
\fB LeafKeyRSABits NUMBER\fR
Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
.br
Default: 1024
2018-05-09 17:05:29 +00:00
.TP
2018-09-14 23:51:26 +00:00
\fB OpenSSLEngine STRING\fR
The OpenSSL engine to activate, either the ID or the full path to the shared
library implementing the engine. If an ID is given, the engine needs to be
known to the system-wide OpenSSL configuration. Only available if built
2018-11-03 15:23:31 +00:00
against a version of OpenSSL with engine support. Equivalent to -x command
line option.
2018-09-14 23:51:26 +00:00
.TP
2018-05-09 17:05:29 +00:00
\fB NATEngine STRING\fR
2018-11-03 15:23:31 +00:00
Specify default NAT engine to use. Equivalent to -e command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB User STRING\fR
2018-11-03 15:23:31 +00:00
Drop privileges to user. Equivalent to -u command line option.
2018-05-09 17:05:29 +00:00
.br
Default: nobody, if run as root
.TP
\fB Group STRING\fR
2018-11-03 15:23:31 +00:00
Drop privileges to group. Equivalent to -m command line option.
2018-05-09 17:05:29 +00:00
.br
Default: Primary group of user
.TP
\fB Chroot STRING\fR
2018-11-03 15:23:31 +00:00
chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)). Equivalent to -j command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB PidFile STRING\fR
2018-11-03 15:23:31 +00:00
Write pid to file. Equivalent to -p command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB ConnectLog STRING\fR
2018-11-03 15:23:31 +00:00
Connect log: log one line summary per connection to logfile. Equivalent to -l command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB ContentLog STRING\fR
2018-11-03 15:23:31 +00:00
Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec). Equivalent to -L command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB ContentLogDir STRING\fR
2018-11-03 15:23:31 +00:00
Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec). Equivalent to -S command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB ContentLogPathSpec STRING\fR
2018-11-03 15:23:31 +00:00
Content log: full data to sep files with % subst (excludes ContentLog/ContentLogDir). Equivalent to -F command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB LogProcInfo BOOL\fR
2018-11-03 15:23:31 +00:00
Look up local process owning each connection for logging. Equivalent to -i command line option.
.TP
\fB PcapLog STRING\fR
Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec). Equivalent to -X command line option.
.TP
\fB PcapLogDir STRING\fR
Pcap log: packets to separate files in dir (excludes PcapLog/PcapLogPathSpec). Equivalent to -Y command line option.
.TP
\fB PcapLogPathSpec STRING\fR
Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir). Equivalent to -y command line option.
.TP
\fB MirrorIf STRING\fR
Mirror packets to interface. Equivalent to -I command line option.
.TP
\fB MirrorTarget STRING\fR
Mirror packets to target address (used with MirrorIf). Equivalent to -T command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB MasterKeyLog STRING\fR
2018-11-03 15:23:31 +00:00
Log master keys to logfile in SSLKEYLOGFILE format. Equivalent to -M command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB Daemon BOOL\fR
2018-11-03 15:23:31 +00:00
Daemon mode: run in background, log error messages to syslog. Equivalent to -d command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB Debug BOOL\fR
2018-11-03 15:23:31 +00:00
Debug mode: run in foreground, log debug messages on stderr. Equivalent to -D command line option.
2018-05-09 17:05:29 +00:00
.TP
\fB DebugLevel NUMBER\fR
Verbose debug level, 2-4.
.TP
2017-08-24 13:16:45 +00:00
\fB ConnIdleTimeout NUMBER\fR
Close connections after this many seconds of idle time.
.br
Default: 120
.TP
\fB ExpiredConnCheckPeriod NUMBER\fR
Check for expired connections every this many seconds.
.br
Default: 10.
.TP
\fB SSLShutdownRetryDelay NUMBER\fR
2018-11-03 15:23:31 +00:00
Retry to shut ssl conns down after this many micro seconds. Increasing this
delay may avoid dirty shutdowns on slow connections, but increases resource
usage, such as file descriptors and memory.
2017-08-24 13:16:45 +00:00
.br
Default: 100
.TP
\fB LogStats BOOL\fR
2018-11-03 15:23:31 +00:00
Log statistics to syslog. Equivalent to -J command line option.
2017-08-24 13:16:45 +00:00
.br
Default: yes
.TP
\fB StatsPeriod NUMBER\fR
Log statistics every this many ExpiredConnCheckPeriod periods.
.br
Default: 1
.TP
\fB RemoveHTTPAcceptEncoding BOOL\fR
Remove HTTP header line for Accept-Encoding.
.br
Default: yes
2017-09-03 20:11:20 +00:00
.TP
\fB RemoveHTTPReferer BOOL\fR
Remove HTTP header line for Referer.
.br
Default: yes
2018-01-18 00:18:53 +00:00
.TP
\fB VerifyPeer BOOL\fR
Verify peer using default certificates.
.br
Default: yes
.TP
\fB AllowWrongHost BOOL\fR
2018-11-03 15:23:31 +00:00
When disabled, never add the SNI to forged certificates, even if the SNI
provided by the client does not match the server certificate's CN/SAN. Helps
pass the wrong.host test at https://badssl.com.
2018-01-18 00:18:53 +00:00
.br
Default: no
2019-03-06 19:43:43 +00:00
.TP
\fB UserAuth BOOL\fR
Require authentication for users to use SSLproxy.
.br
Default: no
.TP
\fB UserDBPath STRING\fR
Path to user db file.
.TP
\fB UserTimeout NUMBER\fR
Time users out after this many seconds of idle time.
.br
Default: 300.
.TP
\fB UserAuthURL STRING\fR
Redirect URL for users to log in to the system.
.TP
2019-03-07 20:14:53 +00:00
\fB ValidateProto BOOL\fR
Validate proxy spec protocols.
.br
Default: no
.TP
\fB MaxHTTPHeaderSize NUMBER\fR
Max HTTP header size in bytes for protocol validation.
.br
Default: 8192.
.TP
2019-03-27 11:23:18 +00:00
\fB OpenFilesLimit NUMBER\fR
Set open files limit, use 50-10000.
.br
Default: System-wide limit.
.TP
2017-08-24 13:16:45 +00:00
\fB ProxySpec STRING\fR
2019-01-06 15:09:17 +00:00
Proxy specification: type listenaddr+port up:port ua:addr ra:addr. Multiple specs are allowed, one on each line.
2017-08-24 13:16:45 +00:00
.SH "FILES"
.LP
/etc/sslproxy/sslproxy.conf
.SH "AUTHOR"
.LP
2018-11-03 15:23:31 +00:00
The config file facility was added by Soner Tari <sonertari@gmail.com>.
2017-08-24 13:16:45 +00:00
.SH "SEE ALSO"
.LP
sslproxy(1)