SSLproxy/sslproxy.conf.5

.\"-
.\" SSLproxy - transparent SSL/TLS proxy for diverting packets to programs
.\" https://github.com/sonertari/SSLproxy
.\"
.\" Copyright (c) 2017-2018, Soner Tari <sonertari@gmail.com> 
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions are met:
.\" 1. Redistributions of source code must retain the above copyright notice,
.\"    this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright notice,
.\"    this list of conditions and the following disclaimer in the documentation
.\"    and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.TH "sslproxy.conf" "5" "Sep 15, 2018" "sslproxy 0.5.7" "SSLproxy"
.SH "NAME"
.LP 
\fBsslproxy.conf\fR \- Configuration file for SSLproxy
.SH "DESCRIPTION"
.LP 
The file sslproxy.conf configures SSLproxy, sslproxy(1).
.SH "FILE FORMAT"
The file consists of comments and options with arguments. Each line which starts with a hash (\fB#\fR) symbol is ignored by the parser. Options and arguments are of the form \fBOption Argument\fR. The arguments are of the following types:
.TP
\fBBOOL\fR 
Boolean value (yes/no).
.TP 
\fBSTRING\fR
String.
.TP 
\fBNUMBER\fR
Unsigned integer.
.SH "DIRECTIVES"
.LP 
When an option is not used (hashed or doesn't exist in the configuration file) sslproxy takes a default action.
.TP 
\fBCACert STRING\fR
Use CA cert (and key) to sign forged certs.
.TP
\fBCAKey STRING\fR
Use CA key (and cert) to sign forged certs.
.TP 
\fBClientCert STRING\fR
Use cert from pemfile when destination requests client certs.
.TP
\fBClientKey STRING\fR
Use key from pemfile when destination requests client certs.
.TP
\fBCAChain STRING\fR
Use CA chain from pemfile (intermediate and root CA certs).
.TP
\fBLeafCerts STRING\fR
Use key from pemfile for leaf certs.
.br
Default: generate
.TP
\fBCRL STRING\fR
Use URL as CRL distribution point for all forged certs.
.TP
\fBTargetCertDir STRING\fR
Use cert+chain+key PEM files from certdir to target all sites matching the common names (non-matching: generate if CA).
.TP
\fBWriteGenCertsDir STRING\fR
Write leaf key and only generated certificates to gendir.
.TP
\fBWriteAllCertsDir STRING\fR
Write leaf key and all certificates to gendir.
.TP
\fBDenyOCSP BOOL\fR
Deny all OCSP requests on all proxyspecs.
.TP
\fBPassthrough BOOL\fR
Passthrough SSL connections if they cannot be split because of client cert auth or no matching cert and no CA.
.br 
Default: drop
.TP
\fBDHGroupParams STRING\fR
Use DH group params from pemfile.
.br 
Default: keyfiles or auto
.TP
\fBECDHCurve STRING\fR
Use ECDH named curve.
.br 
Default: prime256v1
.TP
\fBSSLCompression BOOL\fR
Enable/disable SSL/TLS compression on all connections.
.TP
\fBForceSSLProto STRING\fR
Force SSL/TLS protocol version only.
.br 
Default: all
.TP
\fBDisableSSLProto STRING\fR
Disable SSL/TLS protocol version.
.br 
Default: none
.TP
\fBCiphers STRING\fR
Use the given OpenSSL cipher suite spec.
.br 
Default: ALL:-aNULL
.TP 
\fBOpenSSLEngine STRING\fR
The OpenSSL engine to activate, either the ID or the full path to the shared
library implementing the engine.  If an ID is given, the engine needs to be
known to the system-wide OpenSSL configuration.  Only available if built
against a version of OpenSSL with engine support.
.TP 
\fBNATEngine STRING\fR
Specify default NAT engine to use.
.TP 
\fBUser STRING\fR
Drop privileges to user.
.br 
Default: nobody, if run as root
.TP
\fBGroup STRING\fR
Drop privileges to group.
.br
Default: Primary group of user
.TP 
\fBChroot STRING\fR
chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)).
.TP 
\fBPidFile STRING\fR
Write pid to file.
.TP 
\fBConnectLog STRING\fR
Connect log: log one line summary per connection to logfile.
.TP 
\fBContentLog STRING\fR
Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec).
.TP 
\fBContentLogDir STRING\fR
Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec).
.TP 
\fBContentLogPathSpec STRING\fR
Content log: full data to sep files with % subst (excludes ContentLog/ContentLogDir).
.TP 
\fBLogProcInfo BOOL\fR
Look up local process owning each connection for logging.
.TP 
\fBMasterKeyLog STRING\fR
Log master keys to logfile in SSLKEYLOGFILE format.
.TP 
\fBDaemon BOOL\fR
Daemon mode: run in background, log error messages to syslog.
.TP 
\fBDebug BOOL\fR
Debug mode: run in foreground, log debug messages on stderr.
.TP 
\fBDebugLevel NUMBER\fR
Verbose debug level, 2-4.
.TP
\fBConnIdleTimeout NUMBER\fR
Close connections after this many seconds of idle time.
.br
Default: 120
.TP
\fBExpiredConnCheckPeriod NUMBER\fR
Check for expired connections every this many seconds.
.br 
Default: 10.
.TP 
\fBSSLShutdownRetryDelay NUMBER\fR
Retry to shut ssl conns down after this many micro seconds. Increasing this delay may avoid dirty shutdowns on slow connections, but increases resource usage, such as file desriptors and memory.
.br 
Default: 100
.TP
\fBLogStats BOOL\fR
Log statistics to syslog.
.br
Default: yes
.TP 
\fBStatsPeriod NUMBER\fR
Log statistics every this many ExpiredConnCheckPeriod periods.
.br 
Default: 1
.TP
\fBRemoveHTTPAcceptEncoding BOOL\fR
Remove HTTP header line for Accept-Encoding.
.br
Default: yes
.TP
\fBRemoveHTTPReferer BOOL\fR
Remove HTTP header line for Referer.
.br
Default: yes
.TP
\fBVerifyPeer BOOL\fR
Verify peer using default certificates.
.br
Default: yes
.TP
\fBAllowWrongHost BOOL\fR
When disabled, never add the SNI to forged certificates, even if the SNI provided by the client does not match the server certificate's CN/SAN. Helps pass the wrong.host test at https://badssl.com.
.br
Default: no
.TP 
\fBProxySpec STRING\fR
Proxy specification: type listenaddr+port up:utmport. Multiple specs are allowed, one on each line.
.SH "FILES"
.LP 
/etc/sslproxy/sslproxy.conf
.SH "AUTHOR"
.LP 
Soner Tari <sonertari@gmail.com>
.SH "SEE ALSO"
.LP 
sslproxy(1)
Merge sslsplit-develop changes 2018-09-14 23:51:26 +00:00			`.\"-`
Update man pages 2017-08-24 20:27:50 +00:00			`.\" SSLproxy - transparent SSL/TLS proxy for diverting packets to programs`
Merge sslsplit-develop changes 2018-09-14 23:51:26 +00:00			`.\" https://github.com/sonertari/SSLproxy`
			`.\"`
Update man pages to 0.5.4 2018-02-09 17:25:30 +00:00			`.\" Copyright (c) 2017-2018, Soner Tari <sonertari@gmail.com>`
Update man pages 2017-08-24 20:27:50 +00:00			`.\" All rights reserved.`
			`.\"`
			`.\" Redistribution and use in source and binary forms, with or without`
Merge sslsplit-develop changes 2018-09-14 23:51:26 +00:00			`.\" modification, are permitted provided that the following conditions are met:`
			`.\" 1. Redistributions of source code must retain the above copyright notice,`
			`.\" this list of conditions and the following disclaimer.`
			`.\" 2. Redistributions in binary form must reproduce the above copyright notice,`
			`.\" this list of conditions and the following disclaimer in the documentation`
			`.\" and/or other materials provided with the distribution.`
Update man pages 2017-08-24 20:27:50 +00:00			`.\"`
Merge sslsplit-develop changes 2018-09-14 23:51:26 +00:00			.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
			`.\" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
			`.\" ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE`
			`.\" LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR`
			`.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF`
			`.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS`
			`.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN`
			`.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
			`.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE`
			`.\" POSSIBILITY OF SUCH DAMAGE.`
			`.TH "sslproxy.conf" "5" "Sep 15, 2018" "sslproxy 0.5.7" "SSLproxy"`
Add sslproxy.conf man page and example sslproxy.conf, and related make changes 2017-08-24 13:16:45 +00:00			`.SH "NAME"`
			`.LP`
			`\fBsslproxy.conf\fR \- Configuration file for SSLproxy`
			`.SH "DESCRIPTION"`
			`.LP`
			`The file sslproxy.conf configures SSLproxy, sslproxy(1).`
			`.SH "FILE FORMAT"`
			`The file consists of comments and options with arguments. Each line which starts with a hash (\fB#\fR) symbol is ignored by the parser. Options and arguments are of the form \fBOption Argument\fR. The arguments are of the following types:`
			`.TP`
			`\fBBOOL\fR`
			`Boolean value (yes/no).`
			`.TP`
			`\fBSTRING\fR`
			`String.`
			`.TP`
			`\fBNUMBER\fR`
			`Unsigned integer.`
			`.SH "DIRECTIVES"`
			`.LP`
			`When an option is not used (hashed or doesn't exist in the configuration file) sslproxy takes a default action.`
			`.TP`
			`\fBCACert STRING\fR`
			`Use CA cert (and key) to sign forged certs.`
			`.TP`
			`\fBCAKey STRING\fR`
			`Use CA key (and cert) to sign forged certs.`
Merge sslsplit develop changes 2018-08-04 12:20:50 +00:00			`.TP`
			`\fBClientCert STRING\fR`
			`Use cert from pemfile when destination requests client certs.`
			`.TP`
			`\fBClientKey STRING\fR`
			`Use key from pemfile when destination requests client certs.`
Add sslproxy.conf man page and example sslproxy.conf, and related make changes 2017-08-24 13:16:45 +00:00			`.TP`
Support all command line options in the conf file as well Update with the latest sslsplit-devel changes 2018-05-09 17:05:29 +00:00			`\fBCAChain STRING\fR`
			`Use CA chain from pemfile (intermediate and root CA certs).`
			`.TP`
			`\fBLeafCerts STRING\fR`
			`Use key from pemfile for leaf certs.`
			`.br`
			`Default: generate`
			`.TP`
			`\fBCRL STRING\fR`
			`Use URL as CRL distribution point for all forged certs.`
			`.TP`
			`\fBTargetCertDir STRING\fR`
			`Use cert+chain+key PEM files from certdir to target all sites matching the common names (non-matching: generate if CA).`
			`.TP`
			`\fBWriteGenCertsDir STRING\fR`
			`Write leaf key and only generated certificates to gendir.`
			`.TP`
			`\fBWriteAllCertsDir STRING\fR`
			`Write leaf key and all certificates to gendir.`
			`.TP`
			`\fBDenyOCSP BOOL\fR`
			`Deny all OCSP requests on all proxyspecs.`
			`.TP`
			`\fBPassthrough BOOL\fR`
			`Passthrough SSL connections if they cannot be split because of client cert auth or no matching cert and no CA.`
			`.br`
			`Default: drop`
			`.TP`
			`\fBDHGroupParams STRING\fR`
			`Use DH group params from pemfile.`
			`.br`
			`Default: keyfiles or auto`
			`.TP`
			`\fBECDHCurve STRING\fR`
			`Use ECDH named curve.`
			`.br`
			`Default: prime256v1`
			`.TP`
			`\fBSSLCompression BOOL\fR`
			`Enable/disable SSL/TLS compression on all connections.`
			`.TP`
			`\fBForceSSLProto STRING\fR`
			`Force SSL/TLS protocol version only.`
			`.br`
			`Default: all`
			`.TP`
			`\fBDisableSSLProto STRING\fR`
			`Disable SSL/TLS protocol version.`
			`.br`
			`Default: none`
			`.TP`
			`\fBCiphers STRING\fR`
Merge sslsplit-develop changes 2018-09-14 23:51:26 +00:00			`Use the given OpenSSL cipher suite spec.`
Support all command line options in the conf file as well Update with the latest sslsplit-devel changes 2018-05-09 17:05:29 +00:00			`.br`
			`Default: ALL:-aNULL`
			`.TP`
Merge sslsplit-develop changes 2018-09-14 23:51:26 +00:00			`\fBOpenSSLEngine STRING\fR`
			`The OpenSSL engine to activate, either the ID or the full path to the shared`
			`library implementing the engine. If an ID is given, the engine needs to be`
			`known to the system-wide OpenSSL configuration. Only available if built`
			`against a version of OpenSSL with engine support.`
			`.TP`
Support all command line options in the conf file as well Update with the latest sslsplit-devel changes 2018-05-09 17:05:29 +00:00			`\fBNATEngine STRING\fR`
			`Specify default NAT engine to use.`
			`.TP`
			`\fBUser STRING\fR`
			`Drop privileges to user.`
			`.br`
			`Default: nobody, if run as root`
			`.TP`
			`\fBGroup STRING\fR`
			`Drop privileges to group.`
			`.br`
			`Default: Primary group of user`
			`.TP`
			`\fBChroot STRING\fR`
			`chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)).`
			`.TP`
			`\fBPidFile STRING\fR`
			`Write pid to file.`
			`.TP`
			`\fBConnectLog STRING\fR`
			`Connect log: log one line summary per connection to logfile.`
			`.TP`
			`\fBContentLog STRING\fR`
			`Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec).`
			`.TP`
			`\fBContentLogDir STRING\fR`
			`Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec).`
			`.TP`
			`\fBContentLogPathSpec STRING\fR`
Merge sslsplit-develop changes 2018-09-14 23:51:26 +00:00			`Content log: full data to sep files with % subst (excludes ContentLog/ContentLogDir).`
Support all command line options in the conf file as well Update with the latest sslsplit-devel changes 2018-05-09 17:05:29 +00:00			`.TP`
			`\fBLogProcInfo BOOL\fR`
			`Look up local process owning each connection for logging.`
			`.TP`
			`\fBMasterKeyLog STRING\fR`
			`Log master keys to logfile in SSLKEYLOGFILE format.`
			`.TP`
			`\fBDaemon BOOL\fR`
			`Daemon mode: run in background, log error messages to syslog.`
			`.TP`
			`\fBDebug BOOL\fR`
			`Debug mode: run in foreground, log debug messages on stderr.`
			`.TP`
			`\fBDebugLevel NUMBER\fR`
			`Verbose debug level, 2-4.`
			`.TP`
Add sslproxy.conf man page and example sslproxy.conf, and related make changes 2017-08-24 13:16:45 +00:00			`\fBConnIdleTimeout NUMBER\fR`
			`Close connections after this many seconds of idle time.`
			`.br`
			`Default: 120`
			`.TP`
			`\fBExpiredConnCheckPeriod NUMBER\fR`
			`Check for expired connections every this many seconds.`
			`.br`
			`Default: 10.`
			`.TP`
			`\fBSSLShutdownRetryDelay NUMBER\fR`
			`Retry to shut ssl conns down after this many micro seconds. Increasing this delay may avoid dirty shutdowns on slow connections, but increases resource usage, such as file desriptors and memory.`
			`.br`
			`Default: 100`
			`.TP`
			`\fBLogStats BOOL\fR`
			`Log statistics to syslog.`
			`.br`
			`Default: yes`
			`.TP`
			`\fBStatsPeriod NUMBER\fR`
			`Log statistics every this many ExpiredConnCheckPeriod periods.`
			`.br`
			`Default: 1`
			`.TP`
			`\fBRemoveHTTPAcceptEncoding BOOL\fR`
			`Remove HTTP header line for Accept-Encoding.`
			`.br`
			`Default: yes`
Add RemoveHTTPReferer option, Referer causes redirection errors with some sites 2017-09-03 20:11:20 +00:00			`.TP`
			`\fBRemoveHTTPReferer BOOL\fR`
			`Remove HTTP header line for Referer.`
			`.br`
			`Default: yes`
Update with SSLsplit 0.5.1 changes, fix LibreSSL version issues Add VerifyPeer and AllowWrongHost options 2018-01-18 00:18:53 +00:00			`.TP`
			`\fBVerifyPeer BOOL\fR`
			`Verify peer using default certificates.`
			`.br`
			`Default: yes`
			`.TP`
			`\fBAllowWrongHost BOOL\fR`
Merge sslsplit-develop changes 2018-09-14 23:51:26 +00:00			`When disabled, never add the SNI to forged certificates, even if the SNI provided by the client does not match the server certificate's CN/SAN. Helps pass the wrong.host test at https://badssl.com.`
Update with SSLsplit 0.5.1 changes, fix LibreSSL version issues Add VerifyPeer and AllowWrongHost options 2018-01-18 00:18:53 +00:00			`.br`
			`Default: no`
Add sslproxy.conf man page and example sslproxy.conf, and related make changes 2017-08-24 13:16:45 +00:00			`.TP`
			`\fBProxySpec STRING\fR`
			`Proxy specification: type listenaddr+port up:utmport. Multiple specs are allowed, one on each line.`
			`.SH "FILES"`
			`.LP`
			`/etc/sslproxy/sslproxy.conf`
			`.SH "AUTHOR"`
			`.LP`
			`Soner Tari <sonertari@gmail.com>`
			`.SH "SEE ALSO"`
			`.LP`
			`sslproxy(1)`