# This is the SSLproxy configuration file # Use CA cert (and key) to sign forged certs CACert /etc/sslproxy/ca.crt # Use CA key (and cert) to sign forged certs CAKey /etc/sslproxy/ca.key # Use cert from pemfile when destination requests client certs #ClientCert /etc/sslproxy/client.crt # Use key from pemfile when destination requests client certs #ClientKey /etc/sslproxy/client.key # Use CA chain from pemfile (intermediate and root CA certs) #CAChain /etc/sslproxy/chain.crt # Use key from pemfile for leaf certs (default: generate) #LeafCerts /etc/sslproxy/leaf.key # Use URL as CRL distribution point for all forged certs #CRL http://example.com # Use cert+chain+key PEM files from certdir to target all sites # matching the common names (non-matching: generate if CA) #TargetCertDir /etc/sslproxy/target # Write leaf key and only generated certificates to gendir #WriteGenCertsDir /var/run/sslproxy # Write leaf key and all certificates to gendir #WriteAllCertsDir /var/run/sslproxy # Deny all OCSP requests on all proxyspecs #DenyOCSP yes # Passthrough SSL connections if they cannot be split because of # client cert auth or no matching cert and no CA (default: drop) #Passthrough yes # Use DH group params from pemfile (default: keyfiles or auto) #DHGroupParams /etc/sslproxy/dh.pem # Use ECDH named curve (default: prime256v1) #ECDHCurve prime256v1 # Enable/disable SSL/TLS compression on all connections #SSLCompression no # Force SSL/TLS protocol version only (default: all) #ForceSSLProto tls12 # Disable SSL/TLS protocol version (default: none) #DisableSSLProto tls10 # Use the given OpenSSL cipher suite spec (default: ALL:-aNULL) Ciphers ALL:!RC4 # OpenSSL engine to activate, either ID or full path to shared library #OpenSSLEngine cloudhsm # Specify default NAT engine to use #NATEngine netfilter # Drop privileges to user and group (default if run as root: nobody) User _sslproxy Group _sslproxy # chroot() to jaildir (impacts sni proxyspecs, see manual page) #Chroot /var/run/sslproxy # Write pid to pidfile (default: no pid file) PidFile /var/run/sslproxy.pid # Connect log: log one line summary per connection to logfile #ConnectLog /var/log/sslproxy/connect.log # Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec) #ContentLog /var/log/sslproxy/content.log # Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec) #ContentLogDir /var/log/sslproxy/content # Content log: full data to sep files with % subst (excludes ContentLog/ContentLogDir) #ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log # Look up local process owning each connection for logging #LogProcInfo yes # Log master keys to logfile in SSLKEYLOGFILE format #MasterKeyLog /var/log/sslproxy/masterkeys.log # Daemon mode: run in background, log error messages to syslog Daemon yes # Debug mode: run in foreground, log debug messages on stderr #Debug yes # Verbose debug level #DebugLevel 4 # Close connections after this many seconds of idle time ConnIdleTimeout 120 # Check for expired connections every this many seconds ExpiredConnCheckPeriod 10 # Retry to shut ssl conns down after this many micro seconds # Increasing this delay may avoid dirty shutdowns on slow connections, # but increases resource usage, such as file desriptors and memory SSLShutdownRetryDelay 100 # Log statistics to syslog LogStats yes # Log statistics every this many ExpiredConnCheckPeriod periods StatsPeriod 1 # Remove HTTP header line for Accept-Encoding RemoveHTTPAcceptEncoding no # Remove HTTP header line for Referer RemoveHTTPReferer yes # Verify peer using default certificates VerifyPeer yes # When disabled, never add the SNI to forged certificates, even if the SNI # provided by the client does not match the server certificate's CN/SAN. # Helps pass the wrong.host test at https://badssl.com. AllowWrongHost no # Proxy specifications # type listenaddr+port up:utmport ProxySpec https 127.0.0.1 8443 up:8080 ProxySpec pop3s 127.0.0.1 8995 up:8110 ProxySpec smtps 127.0.0.1 8465 up:9199