# Sample configuration for sslproxy v0.8.7 # # Use the -f command line option to start sslproxy with a config file. # See sslproxy.conf(5) and sslproxy(1) for documentation. # Use CA cert (and key) to sign forged certs. # Equivalent to -c command line option. CACert /etc/sslproxy/ca.crt # Use CA key (and cert) to sign forged certs. # Equivalent to -k command line option. CAKey /etc/sslproxy/ca.key # Use cert from pemfile when destination requests client certs. # Equivalent to -a command line option. #ClientCert /etc/sslproxy/client.crt # Use key from pemfile when destination requests client certs. # Equivalent to -b command line option. #ClientKey /etc/sslproxy/client.key # Use CA chain from pemfile (intermediate and root CA certs). # Equivalent to -C command line option. #CAChain /etc/sslproxy/chain.crt # Use key from pemfile for leaf certs. # Equivalent to -K command line option. # (default: generate) #LeafKey /etc/sslproxy/leaf.key # Use URL as CRL distribution point for all forged certs. # Equivalent to -q command line option. #LeafCRLURL http://example.com/example.crl # Use cert+chain+key PEM files from certdir to target all sites matching the # common names (non-matching: generate if CA). # Equivalent to -t command line option. #LeafCertDir /etc/sslproxy/leaf.d # Use cert+chain+key from PEM file instead of generating leaf keys on the fly. # Equivalent to -A command line option. #DefaultLeafCert /etc/sslproxy/leaf.pem # Write leaf key and only generated certificates to gendir. # Equivalent to -w command line option. #WriteGenCertsDir /var/log/sslproxy # Write leaf key and all certificates to gendir. # Equivalent to -W command line option. #WriteAllCertsDir /var/log/sslproxy # Deny all OCSP requests on all proxyspecs. # Equivalent to -O command line option. #DenyOCSP yes # Passthrough SSL connections if they cannot be split because of client cert # auth or no matching cert and no CA. # Equivalent to -P command line option. # (default: drop) #Passthrough yes # Use DH group params from pemfile. # Equivalent to -g command line option. # (default: keyfiles or auto) #DHGroupParams /etc/sslproxy/dh.pem # Use ECDH named curve. # Equivalent to -G command line option. # (default: prime256v1) #ECDHCurve prime256v1 # Enable/disable SSL/TLS compression on all connections. # Equivalent to -Z command line option. #SSLCompression no # Force SSL/TLS protocol version only. # Equivalent to -r command line option. # (default: all) #ForceSSLProto tls12 # Disable SSL/TLS protocol version. # Equivalent to -R command line option. # (default: none) #DisableSSLProto tls10 # Min SSL/TLS protocol version. # (default: tls10) #MinSSLProto tls10 # Max SSL/TLS protocol version. # (default: tls12 or tls13, depending on the version of SSL library) #MaxSSLProto tls13 # Use the given OpenSSL ciphers spec. # Equivalent to -s command line option. # (default: ALL:-aNULL) #Ciphers MEDIUM:HIGH # Use the given OpenSSL ciphersuites spec. # The ciphersuites spec is for TLS 1.3. # Equivalent to -U command line option. # (default: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256) #CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 # Leaf key RSA keysize in bits, use 1024|2048|3072|4096. # (default: 2048) #LeafKeyRSABits 2048 # OpenSSL engine to activate, either ID or full path to shared library # Equivalent to -x command line option #OpenSSLEngine cloudhsm # Specify default NAT engine to use. # Equivalent to -e command line option. #NATEngine netfilter # Drop privileges to user. # Equivalent to -u command line option. # (default: nobody, if run as root) #User _sslproxy # Drop privileges to group. # Equivalent to -m command line option. # (default: primary group of user) #Group _sslproxy # chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)). # Equivalent to -j command line option. #Chroot /var/run/sslproxy # Write pid to file. # Equivalent to -p command line option. # (default: no pid file) PidFile /var/run/sslproxy.pid # Connect log: log one line summary per connection to logfile. # Equivalent to -l command line option. #ConnectLog /var/log/sslproxy/connect.log # Content log: full data to file or named pipe # (excludes ContentLogDir/ContentLogPathSpec). # Equivalent to -L command line option. #ContentLog /var/log/sslproxy/content.log # Content log: full data to separate files in dir # (excludes ContentLog/ContentLogPathSpec). # Equivalent to -S command line option. #ContentLogDir /var/log/sslproxy/content # Content log: full data to sep files with % subst # (excludes ContentLog/ContentLogDir). # Equivalent to -F command line option. #ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log # Look up local process owning each connection for logging. # Equivalent to -i command line option. #LogProcInfo yes # Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec). # Equivalent to -X command line option. #PcapLog /var/log/sslproxy/content.pcap # Pcap log: packets to separate files in dir # (excludes PcapLog/PcapLogPathSpec). # Equivalent to -Y command line option. #PcapLogDir /var/log/sslproxy/pcap # Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir). # Equivalent to -y command line option. #PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap # Mirror packets to interface. # Equivalent to -I command line option. #MirrorIf lo # Mirror packets to target address (used with MirrorIf). # Equivalent to -T command line option. Leave commented if the target is # irrelevant (e.g. mirror to dummy device) #MirrorTarget 192.0.2.1 # Log master keys to logfile in SSLKEYLOGFILE format. # Equivalent to -M command line option. #MasterKeyLog /var/log/sslproxy/masterkeys.log # Daemon mode: run in background, log error messages to syslog. # Equivalent to -d command line option. Daemon yes # Debug mode: run in foreground, log debug messages on stderr. # Equivalent to -D command line option. #Debug yes # Verbose debug level #DebugLevel 4 # Close connections after this many seconds of idle time ConnIdleTimeout 120 # Check for expired connections every this many seconds ExpiredConnCheckPeriod 10 # Log statistics to syslog # Equivalent to -J command line option. LogStats yes # Log statistics every this many ExpiredConnCheckPeriod periods StatsPeriod 1 # Remove HTTP header line for Accept-Encoding RemoveHTTPAcceptEncoding no # Remove HTTP header line for Referer RemoveHTTPReferer yes # Verify peer using default certificates VerifyPeer yes # When disabled, never add the SNI to forged certificates, even if the SNI # provided by the client does not match the server certificate's CN/SAN. # Helps pass the wrong.host test at https://badssl.com. AllowWrongHost no # Require authentication for users to use SSLproxy #UserAuth no # Path to user db file #UserDBPath /var/db/users.db # Time users out after this many seconds of idle time #UserTimeout 300 # Redirect URL for users to log in to the system #UserAuthURL https://192.168.0.1/userdblogin.php # Comma separated list of users diverted by all proxyspecs # Connections from these users are diverted to listening programs. # Users not listed in DivertUsers or PassUsers are blocked. # Max of 50 users can be listed. DivertUsers utmfw # Comma separated list of users passed through by all proxyspecs # Connections from these users are simply passed through to their original destinations, # not diverted to listening programs. # Users not listed in DivertUsers or PassUsers are blocked. # Max of 50 users can be listed. PassUsers admin # Validate proxy spec protocols #ValidateProto no # Max HTTP header size in bytes for protocol validation #MaxHTTPHeaderSize 8192 # Set open files limit, use 50-10000 #OpenFilesLimit 1024 # Set divert or split mode of operation # Not equivalent to the command line -n option. # Applied to the proxyspecs defined after it, and structured proxyspecs can override it. # Note that if the arg is not yes|no, this is assumed to be a Divert filter rule. # (default: yes) #Divert yes # Passthrough sites # The PassSite option is a special form of Pass filter rule # PassSite rules can be written as Pass filter rules, see filter rule examples # PassSite rules will be deprecated in favor of filter rules in the future # site[*] [(clientaddr|user|*) [description keyword]] #PassSite example.com #PassSite example.com 192.168.0.1 #PassSite example.com soner #PassSite *.google.com * android #PassSite .fbcdn.net* soner android # Filter rules # # (Divert|Split|Pass|Block) # ([from ( # user (username|*) [desc keyword]| # ip (clientaddr|*)| # *)] # [to ( # sni (servername[*]|*)| # cn (commonname[*]|*)| # host (host[*]|*)| # uri (uri[*]|*)| # ip (serveraddr|*)| # *)] # |*) # # Filter rules using host or uri can only take block action, # the other actions are ignored by issuing a warning. # PassSite example.com is equivalent to the following two Pass rules: # Pass to sni example.com # Pass to cn example.com # #Divert from ip 192.168.0.1 to sni example.com #Split from user soner to sni example.com #Pass from user * desc android to sni *.google.com #Block from user soner desc android to cn .fbcdn.net* # One line proxy specifications # type listenaddr+port up:utmport [ua:utmaddr ra:returnaddr] #ProxySpec https 127.0.0.1 8443 up:8080 [ua:127.0.0.1 ra:127.0.0.1] ProxySpec https 127.0.0.1 8443 up:8080 ProxySpec pop3s 127.0.0.1 8995 up:8110 ProxySpec smtps 127.0.0.1 8465 up:9199 # split mode ProxySpec http 127.0.0.1 8081 # Structured proxy specifications # Global config is cloned into all proxyspecs first # Each proxyspec can override its cloned global config ProxySpec { Proto https # Listen address Addr 127.0.0.1 # Listen port Port 8444 # Set divert or split mode for proxyspec #Divert yes # Divert address defaults to 127.0.0.1, if not specified # Equivalent to ua DivertAddr 127.0.0.1 # Equivalent to up DivertPort 8080 # Return address defaults to 127.0.0.1, if not specified # Equivalent to ra ReturnAddr 127.0.0.1 # Specify nat, sni, or target config #NatEngine netfilter #SNIPort 443 #TargetAddr 127.0.0.1 #TargetPort 9443 DenyOCSP yes Passthrough no # Proxyspec specific SSL/TLS config, overrides the cloned global config #CACert ca.crt #CAKey ca.key #ClientCert client.crt #ClientKey client.key #CAChain chain.crt #DHGroupParams dh.pem #ECDHCurve prime256v1 #SSLCompression no #ForceSSLProto tls12 #DisableSSLProto tls10 #MinSSLProto tls10 #MaxSSLProto tls13 #Ciphers MEDIUM:HIGH #CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 RemoveHTTPAcceptEncoding no RemoveHTTPReferer yes VerifyPeer yes UserAuth yes UserTimeout 300 UserAuthURL https://192.168.0.1/userdblogin.php # Comma separated list of users diverted by this proxyspec, overrides the cloned global list DivertUsers utmfw # Comma separated list of users passed through by this proxyspec, overrides the cloned global list PassUsers admin ValidateProto yes # Proxyspec specific passsites are appended to the cloned global passsites PassSite example2.com }