SSLproxy/src/sslproxy.conf

# Sample configuration for sslproxy v0.9.2
#
# Use the -f command line option to start sslproxy with a config file.
# See sslproxy.conf(5) and sslproxy(1) for documentation.
#
# Note that the ordering of options, rules, and proxyspecs in configuration 
# files (and on the command line) is important. For example, rules and 
# proxyspecs can only make use of the options defined earlier.

# Use CA cert (and key) to sign forged certs.
# Equivalent to -c command line option.
CACert /etc/sslproxy/ca.crt

# Use CA key (and cert) to sign forged certs.
# Equivalent to -k command line option.
CAKey /etc/sslproxy/ca.key

# Use cert from pemfile when destination requests client certs.
# Equivalent to -a command line option.
#ClientCert /etc/sslproxy/client.crt

# Use key from pemfile when destination requests client certs.
# Equivalent to -b command line option.
#ClientKey /etc/sslproxy/client.key

# Use CA chain from pemfile (intermediate and root CA certs).
# Equivalent to -C command line option.
#CAChain /etc/sslproxy/chain.crt

# Use key from pemfile for leaf certs.
# Equivalent to -K command line option.
# (default: generate)
#LeafKey /etc/sslproxy/leaf.key

# Use URL as CRL distribution point for all forged certs.
# Equivalent to -q command line option.
#LeafCRLURL http://example.com/example.crl

# Use cert+chain+key PEM files from certdir to target all sites matching the
# common names (non-matching: generate if CA).
# Equivalent to -t command line option.
#LeafCertDir /etc/sslproxy/leaf.d

# Use cert+chain+key from PEM file instead of generating leaf keys on the fly.
# Equivalent to -A command line option.
#DefaultLeafCert /etc/sslproxy/leaf.pem

# Write leaf key and only generated certificates to gendir.
# Equivalent to -w command line option.
#WriteGenCertsDir /var/log/sslproxy

# Write leaf key and all certificates to gendir.
# Equivalent to -W command line option.
#WriteAllCertsDir /var/log/sslproxy

# Deny all OCSP requests on all proxyspecs.
# Equivalent to -O command line option.
#DenyOCSP yes

# Passthrough SSL connections if they cannot be split because of client cert 
# auth or no matching cert and no CA.
# Equivalent to -P command line option.
# (default: drop)
#Passthrough yes

# Use DH group params from pemfile.
# Equivalent to -g command line option.
# (default: keyfiles or auto)
#DHGroupParams /etc/sslproxy/dh.pem

# Use ECDH named curve.
# Equivalent to -G command line option.
# (default: prime256v1)
#ECDHCurve prime256v1

# Enable/disable SSL/TLS compression on all connections.
# Equivalent to -Z command line option.
#SSLCompression no

# Force SSL/TLS protocol version only.
# Equivalent to -r command line option.
# (default: all)
#ForceSSLProto tls12

# Disable SSL/TLS protocol version.
# Equivalent to -R command line option.
# (default: none)
#DisableSSLProto tls10

# Enable SSL/TLS protocol version.
# Equivalent to -B command line option.
# (default: all)
#EnableSSLProto tls10

# Min SSL/TLS protocol version.
# (default: tls10)
#MinSSLProto tls10

# Max SSL/TLS protocol version.
# (default: tls12 or tls13, depending on the version of SSL library)
#MaxSSLProto tls13

# Use the given OpenSSL ciphers spec.
# Equivalent to -s command line option.
# (default: ALL:-aNULL)
#Ciphers MEDIUM:HIGH

# Use the given OpenSSL ciphersuites spec.
# The ciphersuites spec is for TLS 1.3.
# Equivalent to -U command line option.
# (default: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256)
#CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

# Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
# (default: 2048)
#LeafKeyRSABits 2048

# OpenSSL engine to activate, either ID or full path to shared library
# Equivalent to -x command line option
#OpenSSLEngine cloudhsm

# Specify default NAT engine to use.
# Equivalent to -e command line option.
#NATEngine netfilter

# Drop privileges to user.
# Equivalent to -u command line option.
# (default: nobody, if run as root)
#User _sslproxy

# Drop privileges to group.
# Equivalent to -m command line option.
# (default: primary group of user)
#Group _sslproxy

# chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)).
# Equivalent to -j command line option.
#Chroot /var/run/sslproxy

# Write pid to file.
# Equivalent to -p command line option.
# (default: no pid file)
PidFile /var/run/sslproxy.pid

# Connect log: log one line summary per connection to logfile.
# Equivalent to -l command line option.
#ConnectLog /var/log/sslproxy/connect.log

# Content log: full data to file or named pipe
# (excludes ContentLogDir/ContentLogPathSpec).
# Equivalent to -L command line option.
#ContentLog /var/log/sslproxy/content.log

# Content log: full data to separate files in dir
# (excludes ContentLog/ContentLogPathSpec).
# Equivalent to -S command line option.
#ContentLogDir /var/log/sslproxy/content

# Content log: full data to sep files with % subst
# (excludes ContentLog/ContentLogDir).
# Equivalent to -F command line option.
#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log

# Look up local process owning each connection for logging.
# Equivalent to -i command line option.
#LogProcInfo yes

# Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec).
# Equivalent to -X command line option.
#PcapLog /var/log/sslproxy/content.pcap

# Pcap log: packets to separate files in dir
# (excludes PcapLog/PcapLogPathSpec).
# Equivalent to -Y command line option.
#PcapLogDir /var/log/sslproxy/pcap

# Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir).
# Equivalent to -y command line option.
#PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap

# Mirror packets to interface.
# Equivalent to -I command line option.
#MirrorIf lo

# Mirror packets to target address (used with MirrorIf).
# Equivalent to -T command line option. Leave commented if the target is
# irrelevant (e.g. mirror to dummy device)
#MirrorTarget 192.0.2.1

# Log master keys to logfile in SSLKEYLOGFILE format.
# Equivalent to -M command line option.
#MasterKeyLog /var/log/sslproxy/masterkeys.log

# Daemon mode: run in background, log error messages to syslog.
# Equivalent to -d command line option.
Daemon yes

# Debug mode: run in foreground, log debug messages on stderr.
# Equivalent to -D command line option.
#Debug yes

# Verbose debug level
#DebugLevel 4

# Close connections after this many seconds of idle time
ConnIdleTimeout 120

# Check for expired connections every this many seconds
ExpiredConnCheckPeriod 10

# Log statistics to syslog
# Equivalent to -J command line option.
LogStats yes

# Log statistics every this many ExpiredConnCheckPeriod periods
StatsPeriod 1

# Remove HTTP header line for Accept-Encoding
RemoveHTTPAcceptEncoding no

# Remove HTTP header line for Referer
RemoveHTTPReferer yes

# Verify peer using default certificates
VerifyPeer yes

# When disabled, never add the SNI to forged certificates, even if the SNI
# provided by the client does not match the server certificate's CN/SAN.
# Helps pass the wrong.host test at https://badssl.com.
AllowWrongHost no

# Require authentication for users to use SSLproxy
#UserAuth no

# Path to user db file
#UserDBPath /var/db/users.db

# Time users out after this many seconds of idle time
#UserTimeout 300

# Redirect URL for users to log in to the system
#UserAuthURL https://192.168.0.1/userdblogin.php

# Comma separated list of users diverted by all proxyspecs
# Connections from these users are diverted to listening programs.
# Users not listed in DivertUsers or PassUsers are blocked.
# Max of 50 users can be listed.
DivertUsers utmfw

# Comma separated list of users passed through by all proxyspecs
# Connections from these users are simply passed through to their original destinations,
# not diverted to listening programs.
# Users not listed in DivertUsers or PassUsers are blocked.
# Max of 50 users can be listed.
PassUsers admin

# Validate proxy spec protocols
#ValidateProto no

# Max HTTP header size in bytes for protocol validation
#MaxHTTPHeaderSize 8192

# Set open files limit, use 50-10000
#OpenFilesLimit 1024

# Set divert or split mode of operation
# Not equivalent to the command line -n option.
# Applied to the proxyspecs defined after it, and structured proxyspecs can override it.
# Note that if the arg is not yes|no, this is assumed to be a Divert filter rule.
# (default: yes)
#Divert yes

# Passthrough sites
# The PassSite option is a special form of Pass filter rule
# PassSite rules can be written as Pass filter rules, see filter rule examples
# PassSite rules will be deprecated in favor of filter rules in the future
# site[*] [(clientaddr|user|*) [description desc]]
#PassSite example.com
#PassSite example.com 192.168.0.1
#PassSite example.com soner
#PassSite *.google.com * android
#PassSite .fbcdn.net* soner android

# Load configuration from an include file
# Recursive include files are not allowed. The Include option cannot be used in 
# include files.
#Include /etc/sslproxy/filterrules.conf
#Include /etc/sslproxy/proxyspecs.conf

# Define macro to be used in filtering rules. Macro names must start with a $ 
# char. The macro name must be followed by words separated with spaces.
# Recursive macro definitions are not allowed.
#Define $macro value1 value2

# One line filtering rules
#(Divert|Split|Pass|Block|Match)
# ([from (
#     user (username[*]|$macro|*) [desc (desc[*]|$macro|*)]|
#     desc (desc[*]|$macro|*)|
#     ip (clientip[*]|$macro|*)|
#     *)]
#  [to (
#     (sni (servername[*]|$macro|*)|
#      cn (commonname[*]|$macro|*)|
#      host (host[*]|$macro|*)|
#      uri (uri[*]|$macro|*)|
#      ip (serverip[*]|$macro|*)) [port (serverport[*]|$macro|*)]|
#     port (serverport[*]|$macro|*)|
#     *)]
#  [log ([[!]connect] [[!]master] [[!]cert]
#        [[!]content] [[!]pcap] [[!]mirror] [$macro]|[!]*)]
#  |*) [# comment]
#
# PassSite example.com is equivalent to the following two Pass rules:
# Pass to sni example.com
# Pass to cn example.com
#
#Divert from ip 192.168.0.1 to sni example.com
#Split from user soner to sni example.com log content
#Pass from user * desc android to sni *.google.com
#Block from user soner desc android to cn .fbcdn.net*

# Structured filtering rules
#FilterRule {
#    Action (Divert|Split|Pass|Block|Match)
#
#    # From
#    User (username[*]|$macro|*)  # inline
#    Desc (desc[*]|$macro|*)      # comments
#    SrcIp (clientip[*]|$macro|*) # allowed
#
#    # To
#    SNI (servername[*]|$macro|*)
#    CN (commonname[*]|$macro|*)
#    Host (host[*]|$macro|*)
#    URI (uri[*]|$macro|*)
#    DstIp (serverip[*]|$macro|*)
#    DstPort (serverport[*]|$macro|*)
#
#    # Multiple Log lines allowed
#    Log ([[!]connect] [[!]master] [[!]cert]
#         [[!]content] [[!]pcap] [[!]mirror] [$macro]|[!]*)
#
#    ReconnectSSL (yes|no)
#
#    # Connection options
#    DenyOCSP (yes|no)
#    Passthrough (yes|no)
#    CACert ca.crt
#    CAKey ca.key
#    ClientCert client.crt
#    ClientKey client.key
#    CAChain chain.crt
#    LeafCRLURL http://example.com/example.crl
#    DHGroupParams dh.pem
#    ECDHCurve prime256v1
#    SSLCompression (yes|no)
#    ForceSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
#    DisableSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
#    EnableSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
#    MinSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
#    MaxSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
#    Ciphers MEDIUM:HIGH
#    CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
#    RemoveHTTPAcceptEncoding (yes|no)
#    RemoveHTTPReferer (yes|no)
#    VerifyPeer (yes|no)
#    AllowWrongHost (yes|no)
#    UserAuth (yes|no)
#    UserTimeout 300
#    UserAuthURL https://192.168.0.1/userdblogin.php
#    ValidateProto (yes|no)
#    MaxHTTPHeaderSize 8192
#}

# One line proxy specifications
# type listenaddr+port up:utmport [ua:utmaddr ra:returnaddr]
#ProxySpec https 127.0.0.1 8443 up:8080 [ua:127.0.0.1 ra:127.0.0.1]
ProxySpec https 127.0.0.1 8443 up:8080
ProxySpec pop3s 127.0.0.1 8995 up:8110
ProxySpec smtps 127.0.0.1 8465 up:9199
# split mode
ProxySpec http 127.0.0.1 8081

# Structured proxy specifications
# Global config is cloned into all proxyspecs first
# Each proxyspec can override its cloned global config
ProxySpec {
	Proto https

	# Listen address
	Addr 127.0.0.1
	# Listen port
	Port 8444

	# Set divert or split mode for proxyspec
	#Divert yes

	# Divert address defaults to 127.0.0.1, if not specified
	# Equivalent to ua
	DivertAddr 127.0.0.1
	# Equivalent to up
	DivertPort 8080

	# Return address defaults to 127.0.0.1, if not specified
	# Equivalent to ra
	ReturnAddr 127.0.0.1

	# Specify nat, sni, or target config
	#NatEngine netfilter
	#SNIPort 443
	#TargetAddr 127.0.0.1
	#TargetPort 9443

	DenyOCSP yes
	Passthrough no

	# Proxyspec specific SSL/TLS config, overrides the cloned global config
	#CACert ca.crt
	#CAKey ca.key
	#ClientCert client.crt
	#ClientKey client.key
	#CAChain chain.crt
	#DHGroupParams dh.pem
	#ECDHCurve prime256v1
	#SSLCompression no
	#ForceSSLProto tls12
	#DisableSSLProto tls10
	#EnableSSLProto tls10
	#MinSSLProto tls10
	#MaxSSLProto tls13
	#Ciphers MEDIUM:HIGH
	#CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256

	RemoveHTTPAcceptEncoding no
	RemoveHTTPReferer yes
	VerifyPeer yes

	UserAuth yes
	UserTimeout 300
	UserAuthURL https://192.168.0.1/userdblogin.php
	# Comma separated list of users diverted by this proxyspec, overrides the cloned global list
	DivertUsers utmfw
	# Comma separated list of users passed through by this proxyspec, overrides the cloned global list
	PassUsers admin

	ValidateProto yes
	# Proxyspec specific passsites are appended to the cloned global passsites
	PassSite example2.com

	Define $admins soner admin
	Pass from user $admins desc android to cn .fbcdn.net*
	# Structured version of one line filtering rule above
	FilterRule {
	    Action Pass
		User $admins
		Desc android
		CN .fbcdn.net*
	}
}