Update documentation

pull/48/head
Soner Tari 5 years ago
parent 091acf79ab
commit 3c124966e4

@ -174,17 +174,18 @@ Additionally, certificates, master secrets and local process information can be
logged.
As SSLproxy is based on SSLsplit, this is a modified SSLsplit README file.
See the manual page sslproxy(1) for details on using SSLproxy and setting up
the various NAT engines.
See the manual pages sslproxy(1) and sslproxy.conf(5) for details on using
SSLproxy and setting up the various NAT engines.
## Requirements
SSLproxy depends on the OpenSSL, libevent 2.x, libpcap and libnet 1.1.x
libraries by default; libpcap and libnet are not needed if the mirroring
feature is omitted. The build depends on GNU make and a POSIX.2 environment in
`PATH`. If available, pkg-config is used to locate and configure the
dependencies. The optional unit tests depend on the check library.
SSLproxy depends on the OpenSSL, libevent 2.x, libpcap, libnet 1.1.x, and
sqlite3 libraries by default; libpcap and libnet are not needed if the
mirroring feature is omitted. The build depends on GNU make and a POSIX.2
environment in `PATH`. If available, pkg-config is used to locate and
configure the dependencies. The optional unit tests depend on the check
library.
SSLproxy currently supports the following operating systems and NAT mechanisms:
@ -235,6 +236,7 @@ SSLsplit contains components licensed under the MIT and APSL licenses.
See [`LICENSE`](LICENSE), [`LICENSE.contrib`](LICENSE.contrib) and
[`LICENSE.third`](LICENSE.third) as well as the respective source file headers
for details.
The modifications for SSLproxy are licensed under the same terms as SSLsplit.

@ -346,7 +346,7 @@ protoautossl_enable_conn_src_child(pxy_conn_child_ctx_t *ctx)
log_dbg_printf("Completing autossl upgrade\n");
}
// tcp src.bev is already created above
// tcp src.bev was already created before
int rv;
if ((rv = protossl_setup_src_ssl_from_child_dst(ctx)) != 0) {
return rv;

@ -29,7 +29,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.TH "sslproxy" "1" "27 Mar 2019" "v0.6.0" "SSLproxy"
.TH "sslproxy" "1" "22 Jul 2019" "v0.7.0" "SSLproxy"
.SH NAME
sslproxy \-\- transparent SSL/TLS proxy for decrypting and diverting network
traffic to other programs for deep SSL inspection
@ -83,7 +83,8 @@ The program that packets are diverted to should support this mode of operation.
Specifically, it should be able to recognize the SSLproxy address in the first
packet, and give the first and subsequent packets back to SSLproxy listening on
that address, instead of sending them to the original destination as it
normally would.
normally would. For an example, see the lp program under the extra folder in
the sources.
.LP
SSLproxy supports plain TCP, plain SSL, HTTP, HTTPS, POP3, POP3S, SMTP, and
SMTPS connections over both IPv4 and IPv6. It also has the ability to
@ -115,7 +116,7 @@ readable.
.LP
Another reason to disable persistent connections is to reduce file descriptor
usage. Accordingly, connections are closed if they remain idle for a certain
period of time. The default timeout is 120 seconds, which can be changed in a
period of time. The default timeout is 120 seconds, which can be changed in
configuration file.
.LP
SSLproxy verifies upstream certificates by default. If the verification fails,
@ -479,11 +480,16 @@ limiting factor is CPU, not network bandwidth.
The \fB-Z\fP option is only available if SSLproxy was built against a version
of OpenSSL which supports disabling compression.
.SH "PROXY SPECIFICATIONS"
Proxy specifications (\fIproxyspecs\fP) consist of the connection type, listen
address and program port. You can also specify program and return address,
otherwise they default to the loopback address 127.0.0.1. The program and
remote address options help you divert packets to remote locations. However,
beware that the diverted traffic is always unencrypted:
SSLproxy supports two types of proxy specifications: one line and structured.
The structured proxy specifications provide more configuration options, but
can only be defined in configuration files. See sslproxy.conf(5) and the
sample configuration file in the sources for details.
.LP
One line proxy specifications (\fIproxyspecs\fP) consist of the connection
type, listen address and program port. You can also specify program and return
addresses, otherwise they default to the loopback address 127.0.0.1. The
program and return address options help you divert packets to remote
locations. However, beware that the diverted traffic is always unencrypted:
.LP
.na
\fBhttps\fP \fIlistenaddr port\fP \fIup:port\fP

@ -1,4 +1,4 @@
# Sample configuration for sslproxy v0.6.0
# Sample configuration for sslproxy v0.7.0
#
# Use the -f command line option to start sslproxy with a config file.
# See sslproxy.conf(5) and sslproxy(1) for documentation.
@ -235,13 +235,13 @@ AllowWrongHost no
#PassSite *.google.com * android
# One line proxy specifications
# type listenaddr+port up:utmport ua:utmaddr ra:returnaddr
# type listenaddr+port up:utmport [ua:utmaddr ra:returnaddr]
#ProxySpec https 127.0.0.1 8443 up:8080 [ua:127.0.0.1 ra:127.0.0.1]
ProxySpec https 127.0.0.1 8443 up:8080
ProxySpec pop3s 127.0.0.1 8995 up:8110
ProxySpec smtps 127.0.0.1 8465 up:9199
# Struct proxy specifications
# Structured proxy specifications
# Global config is cloned into all proxyspecs first
# Each proxyspec can override its cloned global config
ProxySpec {

@ -26,7 +26,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.TH "sslproxy.conf" "5" "27 Mar 2019" "v0.6.0" "SSLproxy"
.TH "sslproxy.conf" "5" "22 Jul 2019" "v0.7.0" "SSLproxy"
.SH "NAME"
.LP
\fBsslproxy.conf\fR \- Configuration file for SSLproxy
@ -36,8 +36,13 @@ The file sslproxy.conf configures SSLproxy, sslproxy(1).
.SH "FILE FORMAT"
The file consists of comments and options with arguments. Each line which
starts with a hash (\fB#\fR) symbol is ignored by the parser. Options and
arguments are of the form \fBOption Argument\fR. The arguments are of the
following types:
arguments are of the form \fBOption Argument\fR.
.LP
Structured proxyspecs are defined between curly braces. The opening curly
brace should be on the same line as the ProxySpec keyword. The closing curly
brace and option-argument pairs should be on a line of their own.
.LP
The arguments are of the following types:
.TP
\fBBOOL\fR
Boolean value (yes/no).
@ -50,8 +55,10 @@ Unsigned integer.
.SH "DIRECTIVES"
.LP
When an option is not used (hashed or doesn't exist in the configuration file)
sslproxy takes a default action. If an option does not have a command line
equivalent, -o opt=val option can be used to override it on the command line.
sslproxy takes a default action. If an option is defined outside any
structured proxyspec, then it is used as a global default. If an option does
not have a command line equivalent, -o opt=val option can be used to override
it on the command line.
.TP
\fBCACert STRING\fR
Use CA cert (and key) to sign forged certs. Equivalent to -c command line option.
@ -137,11 +144,7 @@ Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
Default: 1024
.TP
\fBOpenSSLEngine STRING\fR
The OpenSSL engine to activate, either the ID or the full path to the shared
library implementing the engine. If an ID is given, the engine needs to be
known to the system-wide OpenSSL configuration. Only available if built
against a version of OpenSSL with engine support. Equivalent to -x command
line option.
The OpenSSL engine to activate. Equivalent to -x command line option.
.TP
\fBNATEngine STRING\fR
Specify default NAT engine to use. Equivalent to -e command line option.
@ -285,7 +288,80 @@ Set open files limit, use 50-10000.
Default: System-wide limit.
.TP
\fBProxySpec STRING\fR
Proxy specification: type listenaddr+port up:port ua:addr ra:addr. Multiple specs are allowed, one on each line.
One line proxy specification: type listenaddr+port up:port ua:addr ra:addr.
The other options of one line proxyspecs are set to the global defaults.
Multiple specs are allowed, one on each line.
.TP
\fBProxySpec {\fR
.br
Proto
.br
Addr
.br
Port
.br
DivertAddr
.br
DivertPort
.br
ReturnAddr
.br
NatEngine
.br
SNIPort
.br
TargetAddr
.br
TargetPort
.br
DenyOCSP
.br
Passthrough
.br
CACert
.br
CAKey
.br
ClientCert
.br
ClientKey
.br
CAChain
.br
DHGroupParams
.br
ECDHCurve
.br
SSLCompression
.br
ForceSSLProto
.br
DisableSSLProto
.br
Ciphers
.br
RemoveHTTPAcceptEncoding
.br
RemoveHTTPReferer
.br
VerifyPeer
.br
UserAuth
.br
UserTimeout
.br
UserAuthURL
.br
ValidateProto
.br
PassSite
.br
\fB}\fR
.br
Structured proxy specifications may consist of the options listed above. The
Proto, Addr, Port, and DivertPort options are mandatory, and equivalent to
type, listenaddr, port, and up options in one line proxyspecs, respectively.
If an option is not specified, the global default value is used.
.SH "FILES"
.LP
/etc/sslproxy/sslproxy.conf

Loading…
Cancel
Save