SSLproxy/sslproxy.conf
Soner Tari 231806ea75 Add MinSSLProto/MaxSSLProto options
Fix memout handling
2019-07-30 21:46:18 +03:00

307 lines
8.4 KiB
Plaintext

# Sample configuration for sslproxy v0.7.0
#
# Use the -f command line option to start sslproxy with a config file.
# See sslproxy.conf(5) and sslproxy(1) for documentation.
# Use CA cert (and key) to sign forged certs.
# Equivalent to -c command line option.
CACert /etc/sslproxy/ca.crt
# Use CA key (and cert) to sign forged certs.
# Equivalent to -k command line option.
CAKey /etc/sslproxy/ca.key
# Use cert from pemfile when destination requests client certs.
# Equivalent to -a command line option.
#ClientCert /etc/sslproxy/client.crt
# Use key from pemfile when destination requests client certs.
# Equivalent to -b command line option.
#ClientKey /etc/sslproxy/client.key
# Use CA chain from pemfile (intermediate and root CA certs).
# Equivalent to -C command line option.
#CAChain /etc/sslproxy/chain.crt
# Use key from pemfile for leaf certs.
# Equivalent to -K command line option.
# (default: generate)
#LeafCerts /etc/sslproxy/leaf.key
# Use URL as CRL distribution point for all forged certs.
# Equivalent to -q command line option.
#CRL http://example.com/example.crl
# Use cert+chain+key PEM files from certdir to target all sites matching the
# common names (non-matching: generate if CA).
# Equivalent to -t command line option.
#TargetCertDir /etc/sslproxy/target
# Write leaf key and only generated certificates to gendir.
# Equivalent to -w command line option.
#WriteGenCertsDir /var/log/sslproxy
# Write leaf key and all certificates to gendir.
# Equivalent to -W command line option.
#WriteAllCertsDir /var/log/sslproxy
# Deny all OCSP requests on all proxyspecs.
# Equivalent to -O command line option.
#DenyOCSP yes
# Passthrough SSL connections if they cannot be split because of client cert
# auth or no matching cert and no CA.
# Equivalent to -P command line option.
# (default: drop)
#Passthrough yes
# Use DH group params from pemfile.
# Equivalent to -g command line option.
# (default: keyfiles or auto)
#DHGroupParams /etc/sslproxy/dh.pem
# Use ECDH named curve.
# Equivalent to -G command line option.
# (default: prime256v1)
#ECDHCurve prime256v1
# Enable/disable SSL/TLS compression on all connections.
# Equivalent to -Z command line option.
#SSLCompression no
# Force SSL/TLS protocol version only.
# Equivalent to -r command line option.
# (default: all)
#ForceSSLProto tls12
# Disable SSL/TLS protocol version.
# Equivalent to -R command line option.
# (default: none)
#DisableSSLProto tls10
# Min SSL/TLS protocol version.
# (default: tls10)
#MinSSLProto tls10
# Max SSL/TLS protocol version.
# (default: tls12)
#MaxSSLProto tls12
# Use the given OpenSSL cipher suite spec.
# Equivalent to -s command line option.
# (default: ALL:-aNULL)
#Ciphers MEDIUM:HIGH
# Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
# (default: 1024)
#LeafKeyRSABits 1024
# OpenSSL engine to activate, either ID or full path to shared library
# Equivalent to -x command line option
#OpenSSLEngine cloudhsm
# Specify default NAT engine to use.
# Equivalent to -e command line option.
#NATEngine netfilter
# Drop privileges to user.
# Equivalent to -u command line option.
# (default: nobody, if run as root)
#User _sslproxy
# Drop privileges to group.
# Equivalent to -m command line option.
# (default: primary group of user)
#Group _sslproxy
# chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)).
# Equivalent to -j command line option.
#Chroot /var/run/sslproxy
# Write pid to file.
# Equivalent to -p command line option.
# (default: no pid file)
PidFile /var/run/sslproxy.pid
# Connect log: log one line summary per connection to logfile.
# Equivalent to -l command line option.
#ConnectLog /var/log/sslproxy/connect.log
# Content log: full data to file or named pipe
# (excludes ContentLogDir/ContentLogPathSpec).
# Equivalent to -L command line option.
#ContentLog /var/log/sslproxy/content.log
# Content log: full data to separate files in dir
# (excludes ContentLog/ContentLogPathSpec).
# Equivalent to -S command line option.
#ContentLogDir /var/log/sslproxy/content
# Content log: full data to sep files with % subst
# (excludes ContentLog/ContentLogDir).
# Equivalent to -F command line option.
#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log
# Look up local process owning each connection for logging.
# Equivalent to -i command line option.
#LogProcInfo yes
# Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec).
# Equivalent to -X command line option.
#PcapLog /var/log/sslproxy/content.pcap
# Pcap log: packets to separate files in dir
# (excludes PcapLog/PcapLogPathSpec).
# Equivalent to -Y command line option.
#PcapLogDir /var/log/sslproxy/pcap
# Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir).
# Equivalent to -y command line option.
#PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap
# Mirror packets to interface.
# Equivalent to -I command line option.
#MirrorIf lo
# Mirror packets to target address (used with MirrorIf).
# Equivalent to -T command line option.
#MirrorTarget 192.0.2.1
# Log master keys to logfile in SSLKEYLOGFILE format.
# Equivalent to -M command line option.
#MasterKeyLog /var/log/sslproxy/masterkeys.log
# Daemon mode: run in background, log error messages to syslog.
# Equivalent to -d command line option.
Daemon yes
# Debug mode: run in foreground, log debug messages on stderr.
# Equivalent to -D command line option.
#Debug yes
# Verbose debug level
#DebugLevel 4
# Close connections after this many seconds of idle time
ConnIdleTimeout 120
# Check for expired connections every this many seconds
ExpiredConnCheckPeriod 10
# Retry to shut ssl conns down after this many micro seconds
# Increasing this delay may avoid dirty shutdowns on slow connections,
# but increases resource usage, such as file desriptors and memory
SSLShutdownRetryDelay 100
# Log statistics to syslog
# Equivalent to -J command line option.
LogStats yes
# Log statistics every this many ExpiredConnCheckPeriod periods
StatsPeriod 1
# Remove HTTP header line for Accept-Encoding
RemoveHTTPAcceptEncoding no
# Remove HTTP header line for Referer
RemoveHTTPReferer yes
# Verify peer using default certificates
VerifyPeer yes
# When disabled, never add the SNI to forged certificates, even if the SNI
# provided by the client does not match the server certificate's CN/SAN.
# Helps pass the wrong.host test at https://badssl.com.
AllowWrongHost no
# Require authentication for users to use SSLproxy
#UserAuth no
# Path to user db file
#UserDBPath /var/db/users.db
# Time users out after this many seconds of idle time
#UserTimeout 300
# Redirect URL for users to log in to the system
#UserAuthURL https://192.168.0.1/userdblogin.php
# Validate proxy spec protocols
#ValidateProto no
# Max HTTP header size in bytes for protocol validation
#MaxHTTPHeaderSize 8192
# Set open files limit, use 50-10000
#OpenFilesLimit 1024
# Passthrough sites
# site [(clientaddr|(user|*) [description keyword])]
#PassSite example.com
#PassSite example.com 192.168.0.1
#PassSite example.com soner
#PassSite *.google.com * android
# One line proxy specifications
# type listenaddr+port up:utmport [ua:utmaddr ra:returnaddr]
#ProxySpec https 127.0.0.1 8443 up:8080 [ua:127.0.0.1 ra:127.0.0.1]
ProxySpec https 127.0.0.1 8443 up:8080
ProxySpec pop3s 127.0.0.1 8995 up:8110
ProxySpec smtps 127.0.0.1 8465 up:9199
# Structured proxy specifications
# Global config is cloned into all proxyspecs first
# Each proxyspec can override its cloned global config
ProxySpec {
Proto https
# Listen address
Addr 127.0.0.1
# Listen port
Port 8444
# Divert address defaults to 127.0.0.1, if not specified
# Equivalent to ua
DivertAddr 127.0.0.1
# Equivalent to up
DivertPort 8080
# Return address defaults to 127.0.0.1, if not specified
# Equivalent to ra
ReturnAddr 127.0.0.1
# Specify nat, sni, or target config
#NatEngine netfilter
#SNIPort 443
#TargetAddr 127.0.0.1
#TargetPort 9443
DenyOCSP yes
Passthrough no
# Proxyspec specific SSL/TLS config, overrides the cloned global config
#CACert ca.crt
#CAKey ca.key
#ClientCert client.crt
#ClientKey client.key
#CAChain chain.crt
#DHGroupParams dh.pem
#ECDHCurve prime256v1
#SSLCompression no
#ForceSSLProto tls12
#DisableSSLProto tls10
#MinSSLProto tls10
#MaxSSLProto tls12
#Ciphers MEDIUM:HIGH
RemoveHTTPAcceptEncoding no
RemoveHTTPReferer yes
VerifyPeer yes
UserAuth yes
UserTimeout 300
UserAuthURL https://192.168.0.1/userdblogin.php
ValidateProto yes
# Proxyspec specific passites are appended to the cloned global passites
PassSite example2.com
}