SSLproxy/sslproxy.conf

# This is the SSLproxy configuration file

# Use CA cert (and key) to sign forged certs
CACert /etc/sslproxy/ca.crt

# Use CA key (and cert) to sign forged certs
CAKey /etc/sslproxy/ca.key

# Use cert from pemfile when destination requests client certs
#ClientCert /etc/sslproxy/client.crt

# Use key from pemfile when destination requests client certs
#ClientKey /etc/sslproxy/client.key

# Use CA chain from pemfile (intermediate and root CA certs)
#CAChain /etc/sslproxy/chain.crt

# Use key from pemfile for leaf certs (default: generate)
#LeafCerts /etc/sslproxy/leaf.key

# Use URL as CRL distribution point for all forged certs
#CRL http://example.com

# Use cert+chain+key PEM files from certdir to target all sites
# matching the common names (non-matching: generate if CA)
#TargetCertDir /etc/sslproxy/target

# Write leaf key and only generated certificates to gendir
#WriteGenCertsDir /var/run/sslproxy

# Write leaf key and all certificates to gendir
#WriteAllCertsDir /var/run/sslproxy

# Deny all OCSP requests on all proxyspecs
#DenyOCSP yes

# Passthrough SSL connections if they cannot be split because of
# client cert auth or no matching cert and no CA (default: drop)
#Passthrough yes

# Use DH group params from pemfile (default: keyfiles or auto)
#DHGroupParams /etc/sslproxy/dh.pem

# Use ECDH named curve (default: prime256v1)
#ECDHCurve prime256v1

# Enable/disable SSL/TLS compression on all connections
#SSLCompression no

# Force SSL/TLS protocol version only (default: all)
#ForceSSLProto tls12

# Disable SSL/TLS protocol version (default: none)
#DisableSSLProto tls10

# Use the given OpenSSL cipher suite spec (default: ALL:-aNULL)
Ciphers ALL:!RC4

# OpenSSL engine to activate, either ID or full path to shared library
#OpenSSLEngine cloudhsm

# Specify default NAT engine to use
#NATEngine netfilter

# Drop privileges to user and group (default if run as root: nobody)
User _sslproxy
Group _sslproxy

# chroot() to jaildir (impacts sni proxyspecs, see manual page)
#Chroot /var/run/sslproxy

# Write pid to pidfile (default: no pid file)
PidFile /var/run/sslproxy.pid

# Connect log: log one line summary per connection to logfile
#ConnectLog /var/log/sslproxy/connect.log

# Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec)
#ContentLog /var/log/sslproxy/content.log

# Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec)
#ContentLogDir /var/log/sslproxy/content

# Content log: full data to sep files with % subst (excludes ContentLog/ContentLogDir)
#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log

# Look up local process owning each connection for logging
#LogProcInfo yes

# Log master keys to logfile in SSLKEYLOGFILE format
#MasterKeyLog /var/log/sslproxy/masterkeys.log

# Daemon mode: run in background, log error messages to syslog
Daemon yes

# Debug mode: run in foreground, log debug messages on stderr
#Debug yes

# Verbose debug level
#DebugLevel 4

# Close connections after this many seconds of idle time
ConnIdleTimeout 120

# Check for expired connections every this many seconds
ExpiredConnCheckPeriod 10

# Retry to shut ssl conns down after this many micro seconds
# Increasing this delay may avoid dirty shutdowns on slow connections,
# but increases resource usage, such as file desriptors and memory
SSLShutdownRetryDelay 100

# Log statistics to syslog
LogStats yes

# Log statistics every this many ExpiredConnCheckPeriod periods
StatsPeriod 1

# Remove HTTP header line for Accept-Encoding
RemoveHTTPAcceptEncoding no

# Remove HTTP header line for Referer
RemoveHTTPReferer yes

# Verify peer using default certificates
VerifyPeer yes

# When disabled, never add the SNI to forged certificates, even if the SNI
# provided by the client does not match the server certificate's CN/SAN.
# Helps pass the wrong.host test at https://badssl.com.
AllowWrongHost no

# Proxy specifications
# type listenaddr+port up:utmport
ProxySpec https 127.0.0.1 8443 up:8080
ProxySpec pop3s 127.0.0.1 8995 up:8110
ProxySpec smtps 127.0.0.1 8465 up:9199