Update documentation

5 years ago · 3c124966e4
parent 091acf79ab
commit 3c124966e4
5 changed files with 114 additions and 30 deletions
--- a/README.md
+++ b/README.md
@ -174,17 +174,18 @@ Additionally, certificates, master secrets and local process information can be
 logged.

 As SSLproxy is based on SSLsplit, this is a modified SSLsplit README file.
-See the manual page sslproxy(1) for details on using SSLproxy and setting up
-the various NAT engines.
+See the manual pages sslproxy(1) and sslproxy.conf(5) for details on using 
+SSLproxy and setting up the various NAT engines.


 ## Requirements

-SSLproxy depends on the OpenSSL, libevent 2.x, libpcap and libnet 1.1.x
-libraries by default; libpcap and libnet are not needed if the mirroring
-feature is omitted.  The build depends on GNU make and a POSIX.2 environment in
-`PATH`.  If available, pkg-config is used to locate and configure the
-dependencies.  The optional unit tests depend on the check library.
+SSLproxy depends on the OpenSSL, libevent 2.x, libpcap, libnet 1.1.x, and 
+sqlite3 libraries by default; libpcap and libnet are not needed if the 
+mirroring feature is omitted.  The build depends on GNU make and a POSIX.2 
+environment in `PATH`.  If available, pkg-config is used to locate and 
+configure the dependencies.  The optional unit tests depend on the check 
+library.

 SSLproxy currently supports the following operating systems and NAT mechanisms:

@ -235,6 +236,7 @@ SSLsplit contains components licensed under the MIT and APSL licenses.
 See [`LICENSE`](LICENSE), [`LICENSE.contrib`](LICENSE.contrib) and
 [`LICENSE.third`](LICENSE.third) as well as the respective source file headers
 for details.
+
 The modifications for SSLproxy are licensed under the same terms as SSLsplit.


--- a/protoautossl.c
+++ b/protoautossl.c
@ -346,7 +346,7 @@ protoautossl_enable_conn_src_child(pxy_conn_child_ctx_t *ctx)
 		log_dbg_printf("Completing autossl upgrade\n");
 	}

-	// tcp src.bev is already created above
+	// tcp src.bev was already created before
 	int rv;
 	if ((rv = protossl_setup_src_ssl_from_child_dst(ctx)) != 0) {
 		return rv;
--- a/sslproxy.1
+++ b/sslproxy.1
@ -29,7 +29,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "sslproxy" "1" "27 Mar 2019" "v0.6.0" "SSLproxy"
+.TH "sslproxy" "1" "22 Jul 2019" "v0.7.0" "SSLproxy"
 .SH NAME
 sslproxy \-\- transparent SSL/TLS proxy for decrypting and diverting network 
 traffic to other programs for deep SSL inspection
@ -83,7 +83,8 @@ The program that packets are diverted to should support this mode of operation.
 Specifically, it should be able to recognize the SSLproxy address in the first 
 packet, and give the first and subsequent packets back to SSLproxy listening on 
 that address, instead of sending them to the original destination as it 
-normally would.
+normally would. For an example, see the lp program under the extra folder in 
+the sources.
 .LP
 SSLproxy supports plain TCP, plain SSL, HTTP, HTTPS, POP3, POP3S, SMTP, and 
 SMTPS connections over both IPv4 and IPv6.  It also has the ability to 
@ -115,7 +116,7 @@ readable.
 .LP
 Another reason to disable persistent connections is to reduce file descriptor 
 usage. Accordingly, connections are closed if they remain idle for a certain 
-period of time. The default timeout is 120 seconds, which can be changed in a 
+period of time. The default timeout is 120 seconds, which can be changed in 
 configuration file.
 .LP
 SSLproxy verifies upstream certificates by default. If the verification fails, 
@ -479,11 +480,16 @@ limiting factor is CPU, not network bandwidth.
 The \fB-Z\fP option is only available if SSLproxy was built against a version
 of OpenSSL which supports disabling compression.
 .SH "PROXY SPECIFICATIONS"
-Proxy specifications (\fIproxyspecs\fP) consist of the connection type, listen
-address and program port. You can also specify program and return address,
-otherwise they default to the loopback address 127.0.0.1. The program and
-remote address options help you divert packets to remote locations. However,
-beware that the diverted traffic is always unencrypted:
+SSLproxy supports two types of proxy specifications: one line and structured. 
+The structured proxy specifications provide more configuration options, but 
+can only be defined in configuration files. See sslproxy.conf(5) and the 
+sample configuration file in the sources for details.
+.LP
+One line proxy specifications (\fIproxyspecs\fP) consist of the connection 
+type, listen address and program port. You can also specify program and return 
+addresses, otherwise they default to the loopback address 127.0.0.1. The 
+program and return address options help you divert packets to remote 
+locations. However, beware that the diverted traffic is always unencrypted:
 .LP
 .na
 \fBhttps\fP \fIlistenaddr port\fP \fIup:port\fP
--- a/sslproxy.conf
+++ b/sslproxy.conf
@ -1,4 +1,4 @@
-# Sample configuration for sslproxy v0.6.0
+# Sample configuration for sslproxy v0.7.0
 #
 # Use the -f command line option to start sslproxy with a config file.
 # See sslproxy.conf(5) and sslproxy(1) for documentation.
@ -235,13 +235,13 @@ AllowWrongHost no
 #PassSite *.google.com * android

 # One line proxy specifications
-# type listenaddr+port up:utmport ua:utmaddr ra:returnaddr
+# type listenaddr+port up:utmport [ua:utmaddr ra:returnaddr]
 #ProxySpec https 127.0.0.1 8443 up:8080 [ua:127.0.0.1 ra:127.0.0.1]
 ProxySpec https 127.0.0.1 8443 up:8080
 ProxySpec pop3s 127.0.0.1 8995 up:8110
 ProxySpec smtps 127.0.0.1 8465 up:9199

-# Struct proxy specifications
+# Structured proxy specifications
 # Global config is cloned into all proxyspecs first
 # Each proxyspec can override its cloned global config
 ProxySpec {
--- a/sslproxy.conf.5
+++ b/sslproxy.conf.5
@ -26,7 +26,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "sslproxy.conf" "5" "27 Mar 2019" "v0.6.0" "SSLproxy"
+.TH "sslproxy.conf" "5" "22 Jul 2019" "v0.7.0" "SSLproxy"
 .SH "NAME"
 .LP 
 \fBsslproxy.conf\fR \- Configuration file for SSLproxy
@ -36,8 +36,13 @@ The file sslproxy.conf configures SSLproxy, sslproxy(1).
 .SH "FILE FORMAT"
 The file consists of comments and options with arguments. Each line which 
 starts with a hash (\fB#\fR) symbol is ignored by the parser. Options and 
-arguments are of the form \fBOption Argument\fR. The arguments are of the 
-following types:
+arguments are of the form \fBOption Argument\fR.
+.LP 
+Structured proxyspecs are defined between curly braces. The opening curly 
+brace should be on the same line as the ProxySpec keyword. The closing curly 
+brace and option-argument pairs should be on a line of their own.
+.LP 
+The arguments are of the following types:
 .TP
 \fBBOOL\fR 
 Boolean value (yes/no).
@ -50,8 +55,10 @@ Unsigned integer.
 .SH "DIRECTIVES"
 .LP 
 When an option is not used (hashed or doesn't exist in the configuration file) 
-sslproxy takes a default action. If an option does not have a command line 
-equivalent, -o opt=val option can be used to override it on the command line.
+sslproxy takes a default action. If an option is defined outside any 
+structured proxyspec, then it is used as a global default. If an option does 
+not have a command line equivalent, -o opt=val option can be used to override 
+it on the command line.
 .TP 
 \fBCACert STRING\fR
 Use CA cert (and key) to sign forged certs. Equivalent to -c command line option.
@ -137,11 +144,7 @@ Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
 Default: 1024
 .TP 
 \fBOpenSSLEngine STRING\fR
-The OpenSSL engine to activate, either the ID or the full path to the shared
-library implementing the engine.  If an ID is given, the engine needs to be
-known to the system-wide OpenSSL configuration.  Only available if built
-against a version of OpenSSL with engine support.  Equivalent to -x command
-line option.
+The OpenSSL engine to activate.  Equivalent to -x command line option.
 .TP 
 \fBNATEngine STRING\fR
 Specify default NAT engine to use. Equivalent to -e command line option.
@ -285,7 +288,80 @@ Set open files limit, use 50-10000.
 Default: System-wide limit.
 .TP
 \fBProxySpec STRING\fR
-Proxy specification: type listenaddr+port up:port ua:addr ra:addr. Multiple specs are allowed, one on each line.
+One line proxy specification: type listenaddr+port up:port ua:addr ra:addr. 
+The other options of one line proxyspecs are set to the global defaults. 
+Multiple specs are allowed, one on each line.
+.TP
+\fBProxySpec {\fR
+.br
+Proto
+.br
+Addr
+.br
+Port
+.br
+DivertAddr
+.br
+DivertPort
+.br
+ReturnAddr
+.br
+NatEngine
+.br
+SNIPort
+.br
+TargetAddr
+.br
+TargetPort
+.br
+DenyOCSP
+.br
+Passthrough
+.br
+CACert
+.br
+CAKey
+.br
+ClientCert
+.br
+ClientKey
+.br
+CAChain
+.br
+DHGroupParams
+.br
+ECDHCurve
+.br
+SSLCompression
+.br
+ForceSSLProto
+.br
+DisableSSLProto
+.br
+Ciphers
+.br
+RemoveHTTPAcceptEncoding
+.br
+RemoveHTTPReferer
+.br
+VerifyPeer
+.br
+UserAuth
+.br
+UserTimeout
+.br
+UserAuthURL
+.br
+ValidateProto
+.br
+PassSite
+.br
+\fB}\fR
+.br
+Structured proxy specifications may consist of the options listed above. The 
+Proto, Addr, Port, and DivertPort options are mandatory, and equivalent to 
+type, listenaddr, port, and up options in one line proxyspecs, respectively. 
+If an option is not specified, the global default value is used.
 .SH "FILES"
 .LP 
 /etc/sslproxy/sslproxy.conf