Update documentation with user auth feature

README.md

@@ -1,6 +1,6 @@
 # SSLproxy - transparent SSL/TLS proxy for decrypting and diverting network traffic to other programs for deep SSL inspection [![Build Status](https://travis-ci.org/sonertari/SSLproxy.svg?branch=master)](https://travis-ci.org/sonertari/SSLproxy)
 
-Copyright (C) 2017-2018, [Soner Tari](http://comixwall.org).  
+Copyright (C) 2017-2019, [Soner Tari](http://comixwall.org).  
 https://github.com/sonertari/SSLproxy
 
 Copyright (C) 2009-2018, [Daniel Roethlisberger](//daniel.roe.ch/).  
@@ -123,6 +123,29 @@ split, SSLsplit accepts all certificates by default, including self-signed
 ones. See [The Risks of SSL Inspection](https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html)
 for the reasons of this difference.
 
+If enabled the UserAuth option requires network users to log in to the system 
+to use SSLproxy (this feature is currently available on OpenBSD only). When 
+users are logged in, they should be recorded on the users table in an SQLite3 
+database. The users table is created using the following SQL statement:
+
+	CREATE TABLE USERS(
+	   IP             CHAR(45)     PRIMARY KEY     NOT NULL,
+	   USER           CHAR(31)     NOT NULL,
+	   ETHER          CHAR(17)     NOT NULL,
+	   ATIME          INT          NOT NULL,
+	   DESC           CHAR(50)
+	);
+
+When SSLproxy accepts a connection, it obtains the ethernet address of the
+client IP address from the arp cache of the system, then compares it with
+the value in the users table. If the ethernet addresses do not match, the 
+connection is redirected to the login page. SSLproxy also compares the atime 
+value in the users table with the current system time. If the difference is 
+larger than the configured value of the user timeout option, then the 
+connection is redirected to the login page. The atime of the IP address in the 
+users table is updated with the system time while the connection is being 
+terminated.
+
 Logging options include traditional SSLproxy connect and content log files as
 well as PCAP files and mirroring decrypted traffic to a network interface.
 Additionally, certificates, master secrets and local process information can be

protohttp.c

@@ -544,7 +544,7 @@ protohttp_bev_readcb_src(struct bufferevent *bev, pxy_conn_ctx_t *ctx)
 	// @attention We cannot append the ssl proxy address at the end of the packet or in between the header and the content,
 	// because (1) the packet may be just the first fragment split somewhere not appropriate for appending a header,
 	// and (2) there may not be any content.
-	// And we are dealing pop3 and smtp also, not just http.
+	// And we are dealing with pop3 and smtp also, not just http.
 
 	/* request header munging */
 	if (!http_ctx->seen_req_header) {

prototcp.h

@@ -34,8 +34,8 @@
 
 void prototcp_fd_readcb(evutil_socket_t, short, void *);
 
-int prototcp_try_send_userauth_msg(struct bufferevent *, pxy_conn_ctx_t *) NONNULL(1);
-int prototcp_try_close_unauth_conn(struct bufferevent *, pxy_conn_ctx_t *) NONNULL(1);
+int prototcp_try_send_userauth_msg(struct bufferevent *, pxy_conn_ctx_t *) NONNULL(1,2);
+int prototcp_try_close_unauth_conn(struct bufferevent *, pxy_conn_ctx_t *) NONNULL(1,2);
 
 void prototcp_bev_writecb(struct bufferevent *, void *) NONNULL(1);
 

sslproxy.1

@@ -3,7 +3,7 @@
 .\" https://github.com/sonertari/SSLproxy
 .\"
 .\" Copyright (c) 2009-2018, Daniel Roethlisberger <daniel@roe.ch>.
-.\" Copyright (c) 2017-2018, Soner Tari <sonertari@gmail.com>.
+.\" Copyright (c) 2017-2019, Soner Tari <sonertari@gmail.com>.
 .\" All rights reserved.
 .\"
 .\" The modifications for SSLproxy are licensed under the same terms as
@@ -29,7 +29,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "sslproxy" "1" "09 Dec 2018" "v0.5.9" "SSLproxy"
+.TH "sslproxy" "1" "06 Mar 2019" "v0.5.10" "SSLproxy"
 .SH NAME
 sslproxy \-\- transparent SSL/TLS proxy for decrypting and diverting network 
 traffic to other programs for deep SSL inspection
@@ -124,6 +124,29 @@ because in order to maximize the chances that a connection can be successfully
 split, SSLsplit accepts all certificates by default, including self-signed 
 ones.
 .LP
+If enabled the UserAuth option requires network users to log in to the system 
+to use SSLproxy (this feature is currently available on OpenBSD only). When 
+users are logged in, they should be recorded on the users table in an SQLite3 
+database. The users table is created using the following SQL statement:
+.LP
+CREATE TABLE USERS(
+   IP             CHAR(45)     PRIMARY KEY     NOT NULL,
+   USER           CHAR(31)     NOT NULL,
+   ETHER          CHAR(17)     NOT NULL,
+   ATIME          INT          NOT NULL,
+   DESC           CHAR(50)
+);
+.LP
+When SSLproxy accepts a connection, it obtains the ethernet address of the
+client IP address from the arp cache of the system, then compares it with
+the value in the users table. If the ethernet addresses do not match, the 
+connection is redirected to the login page. SSLproxy also compares the atime 
+value in the users table with the current system time. If the difference is 
+larger than the configured value of the user timeout option, then the 
+connection is redirected to the login page. The atime of the IP address in the 
+users table is updated with the system time while the connection is being 
+terminated.
+.LP
 Logging options include traditional SSLproxy connect and content log files as
 well as PCAP files and mirroring decrypted traffic to a network interface.
 Additionally, certificates, master secrets and local process information can be

sslproxy.conf.5

@@ -3,7 +3,7 @@
 .\" https://github.com/sonertari/SSLproxy
 .\"
 .\" Copyright (c) 2009-2018, Daniel Roethlisberger <daniel@roe.ch>.
-.\" Copyright (c) 2017-2018, Soner Tari <sonertari@gmail.com>.
+.\" Copyright (c) 2017-2019, Soner Tari <sonertari@gmail.com>.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -26,7 +26,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "sslproxy.conf" "5" "09 Dec 2018" "v0.5.9" "SSLproxy"
+.TH "sslproxy.conf" "5" "06 Mar 2019" "v0.5.10" "SSLproxy"
 .SH "NAME"
 .LP 
 \fBsslproxy.conf\fR \- Configuration file for SSLproxy
@@ -237,7 +237,23 @@ provided by the client does not match the server certificate's CN/SAN. Helps
 pass the wrong.host test at https://badssl.com.
 .br
 Default: no
-.TP 
+.TP
+\fBUserAuth BOOL\fR
+Require authentication for users to use SSLproxy.
+.br
+Default: no
+.TP
+\fBUserDBPath STRING\fR
+Path to user db file.
+.TP
+\fBUserTimeout NUMBER\fR
+Time users out after this many seconds of idle time.
+.br 
+Default: 300.
+.TP
+\fBUserAuthURL STRING\fR
+Redirect URL for users to log in to the system.
+.TP
 \fBProxySpec STRING\fR
 Proxy specification: type listenaddr+port up:port ua:addr ra:addr. Multiple specs are allowed, one on each line.
 .SH "FILES"