mirror of
https://github.com/sonertari/SSLproxy
synced 2024-11-06 09:20:26 +00:00
138 lines
4.0 KiB
Plaintext
138 lines
4.0 KiB
Plaintext
# This is the SSLproxy configuration file
|
|
|
|
# Use CA cert (and key) to sign forged certs
|
|
CACert /etc/sslproxy/ca.crt
|
|
|
|
# Use CA key (and cert) to sign forged certs
|
|
CAKey /etc/sslproxy/ca.key
|
|
|
|
# Use cert from pemfile when destination requests client certs
|
|
#ClientCert /etc/sslproxy/client.crt
|
|
|
|
# Use key from pemfile when destination requests client certs
|
|
#ClientKey /etc/sslproxy/client.key
|
|
|
|
# Use CA chain from pemfile (intermediate and root CA certs)
|
|
#CAChain /etc/sslproxy/chain.crt
|
|
|
|
# Use key from pemfile for leaf certs (default: generate)
|
|
#LeafCerts /etc/sslproxy/leaf.key
|
|
|
|
# Use URL as CRL distribution point for all forged certs
|
|
#CRL http://example.com
|
|
|
|
# Use cert+chain+key PEM files from certdir to target all sites
|
|
# matching the common names (non-matching: generate if CA)
|
|
#TargetCertDir /etc/sslproxy/target
|
|
|
|
# Write leaf key and only generated certificates to gendir
|
|
#WriteGenCertsDir /var/run/sslproxy
|
|
|
|
# Write leaf key and all certificates to gendir
|
|
#WriteAllCertsDir /var/run/sslproxy
|
|
|
|
# Deny all OCSP requests on all proxyspecs
|
|
#DenyOCSP yes
|
|
|
|
# Passthrough SSL connections if they cannot be split because of
|
|
# client cert auth or no matching cert and no CA (default: drop)
|
|
#Passthrough yes
|
|
|
|
# Use DH group params from pemfile (default: keyfiles or auto)
|
|
#DHGroupParams /etc/sslproxy/dh.pem
|
|
|
|
# Use ECDH named curve (default: prime256v1)
|
|
#ECDHCurve prime256v1
|
|
|
|
# Enable/disable SSL/TLS compression on all connections
|
|
#SSLCompression no
|
|
|
|
# Force SSL/TLS protocol version only (default: all)
|
|
#ForceSSLProto tls12
|
|
|
|
# Disable SSL/TLS protocol version (default: none)
|
|
#DisableSSLProto tls10
|
|
|
|
# Use the given OpenSSL cipher suite spec (default: ALL:-aNULL)
|
|
Ciphers ALL:!RC4
|
|
|
|
# OpenSSL engine to activate, either ID or full path to shared library
|
|
#OpenSSLEngine cloudhsm
|
|
|
|
# Specify default NAT engine to use
|
|
#NATEngine netfilter
|
|
|
|
# Drop privileges to user and group (default if run as root: nobody)
|
|
User _sslproxy
|
|
Group _sslproxy
|
|
|
|
# chroot() to jaildir (impacts sni proxyspecs, see manual page)
|
|
#Chroot /var/run/sslproxy
|
|
|
|
# Write pid to pidfile (default: no pid file)
|
|
PidFile /var/run/sslproxy.pid
|
|
|
|
# Connect log: log one line summary per connection to logfile
|
|
#ConnectLog /var/log/sslproxy/connect.log
|
|
|
|
# Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec)
|
|
#ContentLog /var/log/sslproxy/content.log
|
|
|
|
# Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec)
|
|
#ContentLogDir /var/log/sslproxy/content
|
|
|
|
# Content log: full data to sep files with % subst (excludes ContentLog/ContentLogDir)
|
|
#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log
|
|
|
|
# Look up local process owning each connection for logging
|
|
#LogProcInfo yes
|
|
|
|
# Log master keys to logfile in SSLKEYLOGFILE format
|
|
#MasterKeyLog /var/log/sslproxy/masterkeys.log
|
|
|
|
# Daemon mode: run in background, log error messages to syslog
|
|
Daemon yes
|
|
|
|
# Debug mode: run in foreground, log debug messages on stderr
|
|
#Debug yes
|
|
|
|
# Verbose debug level
|
|
#DebugLevel 4
|
|
|
|
# Close connections after this many seconds of idle time
|
|
ConnIdleTimeout 120
|
|
|
|
# Check for expired connections every this many seconds
|
|
ExpiredConnCheckPeriod 10
|
|
|
|
# Retry to shut ssl conns down after this many micro seconds
|
|
# Increasing this delay may avoid dirty shutdowns on slow connections,
|
|
# but increases resource usage, such as file desriptors and memory
|
|
SSLShutdownRetryDelay 100
|
|
|
|
# Log statistics to syslog
|
|
LogStats yes
|
|
|
|
# Log statistics every this many ExpiredConnCheckPeriod periods
|
|
StatsPeriod 1
|
|
|
|
# Remove HTTP header line for Accept-Encoding
|
|
RemoveHTTPAcceptEncoding no
|
|
|
|
# Remove HTTP header line for Referer
|
|
RemoveHTTPReferer yes
|
|
|
|
# Verify peer using default certificates
|
|
VerifyPeer yes
|
|
|
|
# When disabled, never add the SNI to forged certificates, even if the SNI
|
|
# provided by the client does not match the server certificate's CN/SAN.
|
|
# Helps pass the wrong.host test at https://badssl.com.
|
|
AllowWrongHost no
|
|
|
|
# Proxy specifications
|
|
# type listenaddr+port up:utmport
|
|
ProxySpec https 127.0.0.1 8443 up:8080
|
|
ProxySpec pop3s 127.0.0.1 8995 up:8110
|
|
ProxySpec smtps 127.0.0.1 8465 up:9199
|