SSLproxy/sslproxy.conf
Soner Tari 27650fab69 Support all command line options in the conf file as well
Update with the latest sslsplit-devel changes
2018-05-09 20:05:29 +03:00

128 lines
3.5 KiB
Plaintext

# This is the SSLproxy configuration file
# Use CA cert (and key) to sign forged certs
CACert /etc/sslproxy/ca.crt
# Use CA key (and cert) to sign forged certs
CAKey /etc/sslproxy/ca.key
# Use CA chain from pemfile (intermediate and root CA certs)
#CAChain /etc/sslproxy/chain.crt
# Use key from pemfile for leaf certs (default: generate)
#LeafCerts /etc/sslproxy/leaf.key
# Use URL as CRL distribution point for all forged certs
#CRL http://example.com
# Use cert+chain+key PEM files from certdir to target all sites
# matching the common names (non-matching: generate if CA)
#TargetCertDir /etc/sslproxy/target
# Write leaf key and only generated certificates to gendir
#WriteGenCertsDir /var/run/sslproxy
# Write leaf key and all certificates to gendir
#WriteAllCertsDir /var/run/sslproxy
# Deny all OCSP requests on all proxyspecs
#DenyOCSP yes
# Passthrough SSL connections if they cannot be split because of
# client cert auth or no matching cert and no CA (default: drop)
#Passthrough yes
# Use DH group params from pemfile (default: keyfiles or auto)
#DHGroupParams /etc/sslproxy/dh.pem
# Use ECDH named curve (default: prime256v1)
#ECDHCurve prime256v1
# Enable/disable SSL/TLS compression on all connections
#SSLCompression no
# Force SSL/TLS protocol version only (default: all)
#ForceSSLProto tls12
# Disable SSL/TLS protocol version (default: none)
#DisableSSLProto tls10
# Cipher specification for both server and client SSL/TLS connections
# (default: ALL:-aNULL)
Ciphers ALL:!RC4
# Specify default NAT engine to use
#NATEngine netfilter
# Drop privileges to user and group (default if run as root: nobody)
User _sslproxy
Group _sslproxy
# chroot() to jaildir (impacts sni proxyspecs, see manual page)
#Chroot /var/run/sslproxy
# Write pid to pidfile (default: no pid file)
PidFile /var/run/sslproxy.pid
# Connect log: log one line summary per connection to logfile
#ConnectLog /var/log/sslproxy/connect.log
# Content log: full data to file or named pipe (excludes -S/-F)
#ContentLog /var/log/sslproxy/content.log
# Content log: full data to separate files in dir (excludes -L/-F)
#ContentLogDir /var/log/sslproxy/content
# Content log: full data to sep files with %% subst (excl. -L/-S)
#ContentLogPathSpec /var/log/sslproxy/%%X/%%u-%%s-%%d-%%T.log
# Look up local process owning each connection for logging
#LogProcInfo yes
# Log master keys to logfile in SSLKEYLOGFILE format
#MasterKeyLog /var/log/sslproxy/masterkeys.log
# Daemon mode: run in background, log error messages to syslog
Daemon yes
# Debug mode: run in foreground, log debug messages on stderr
#Debug yes
# Verbose debug level
#DebugLevel 4
# Close connections after this many seconds of idle time
ConnIdleTimeout 120
# Check for expired connections every this many seconds
ExpiredConnCheckPeriod 10
# Retry to shut ssl conns down after this many micro seconds
# Increasing this delay may avoid dirty shutdowns on slow connections,
# but increases resource usage, such as file desriptors and memory
SSLShutdownRetryDelay 100
# Log statistics to syslog
LogStats yes
# Log statistics every this many ExpiredConnCheckPeriod periods
StatsPeriod 1
# Remove HTTP header line for Accept-Encoding
RemoveHTTPAcceptEncoding no
# Remove HTTP header line for Referer
RemoveHTTPReferer yes
# Verify peer using default certificates
VerifyPeer yes
# Allow wrong host names in certificates
AllowWrongHost no
# Proxy specifications
# type listenaddr+port up:utmport
ProxySpec https 127.0.0.1 8443 up:8080
ProxySpec pop3s 127.0.0.1 8995 up:8110
ProxySpec smtps 127.0.0.1 8465 up:9199