mirror of
https://github.com/sonertari/SSLproxy
synced 2024-11-13 13:10:37 +00:00
461 lines
14 KiB
Plaintext
461 lines
14 KiB
Plaintext
# Sample configuration for sslproxy v0.9.2
|
|
#
|
|
# Use the -f command line option to start sslproxy with a config file.
|
|
# See sslproxy.conf(5) and sslproxy(1) for documentation.
|
|
#
|
|
# Note that the ordering of options, rules, and proxyspecs in configuration
|
|
# files (and on the command line) is important. For example, rules and
|
|
# proxyspecs can only make use of the options defined earlier.
|
|
|
|
# Use CA cert (and key) to sign forged certs.
|
|
# Equivalent to -c command line option.
|
|
CACert /etc/sslproxy/ca.crt
|
|
|
|
# Use CA key (and cert) to sign forged certs.
|
|
# Equivalent to -k command line option.
|
|
CAKey /etc/sslproxy/ca.key
|
|
|
|
# Use cert from pemfile when destination requests client certs.
|
|
# Equivalent to -a command line option.
|
|
#ClientCert /etc/sslproxy/client.crt
|
|
|
|
# Use key from pemfile when destination requests client certs.
|
|
# Equivalent to -b command line option.
|
|
#ClientKey /etc/sslproxy/client.key
|
|
|
|
# Use CA chain from pemfile (intermediate and root CA certs).
|
|
# Equivalent to -C command line option.
|
|
#CAChain /etc/sslproxy/chain.crt
|
|
|
|
# Use key from pemfile for leaf certs.
|
|
# Equivalent to -K command line option.
|
|
# (default: generate)
|
|
#LeafKey /etc/sslproxy/leaf.key
|
|
|
|
# Use URL as CRL distribution point for all forged certs.
|
|
# Equivalent to -q command line option.
|
|
#LeafCRLURL http://example.com/example.crl
|
|
|
|
# Use cert+chain+key PEM files from certdir to target all sites matching the
|
|
# common names (non-matching: generate if CA).
|
|
# Equivalent to -t command line option.
|
|
#LeafCertDir /etc/sslproxy/leaf.d
|
|
|
|
# Use cert+chain+key from PEM file instead of generating leaf keys on the fly.
|
|
# Equivalent to -A command line option.
|
|
#DefaultLeafCert /etc/sslproxy/leaf.pem
|
|
|
|
# Write leaf key and only generated certificates to gendir.
|
|
# Equivalent to -w command line option.
|
|
#WriteGenCertsDir /var/log/sslproxy
|
|
|
|
# Write leaf key and all certificates to gendir.
|
|
# Equivalent to -W command line option.
|
|
#WriteAllCertsDir /var/log/sslproxy
|
|
|
|
# Deny all OCSP requests on all proxyspecs.
|
|
# Equivalent to -O command line option.
|
|
#DenyOCSP yes
|
|
|
|
# Passthrough SSL connections if they cannot be split because of client cert
|
|
# auth or no matching cert and no CA.
|
|
# Equivalent to -P command line option.
|
|
# (default: drop)
|
|
#Passthrough yes
|
|
|
|
# Use DH group params from pemfile.
|
|
# Equivalent to -g command line option.
|
|
# (default: keyfiles or auto)
|
|
#DHGroupParams /etc/sslproxy/dh.pem
|
|
|
|
# Use ECDH named curve.
|
|
# Equivalent to -G command line option.
|
|
# (default: prime256v1)
|
|
#ECDHCurve prime256v1
|
|
|
|
# Enable/disable SSL/TLS compression on all connections.
|
|
# Equivalent to -Z command line option.
|
|
#SSLCompression no
|
|
|
|
# Force SSL/TLS protocol version only.
|
|
# Equivalent to -r command line option.
|
|
# (default: all)
|
|
#ForceSSLProto tls12
|
|
|
|
# Disable SSL/TLS protocol version.
|
|
# Equivalent to -R command line option.
|
|
# (default: none)
|
|
#DisableSSLProto tls10
|
|
|
|
# Enable SSL/TLS protocol version.
|
|
# Equivalent to -B command line option.
|
|
# (default: all)
|
|
#EnableSSLProto tls10
|
|
|
|
# Min SSL/TLS protocol version.
|
|
# (default: tls10)
|
|
#MinSSLProto tls10
|
|
|
|
# Max SSL/TLS protocol version.
|
|
# (default: tls12 or tls13, depending on the version of SSL library)
|
|
#MaxSSLProto tls13
|
|
|
|
# Use the given OpenSSL ciphers spec.
|
|
# Equivalent to -s command line option.
|
|
# (default: ALL:-aNULL)
|
|
#Ciphers MEDIUM:HIGH
|
|
|
|
# Use the given OpenSSL ciphersuites spec.
|
|
# The ciphersuites spec is for TLS 1.3.
|
|
# Equivalent to -U command line option.
|
|
# (default: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256)
|
|
#CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
|
|
|
|
# Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
|
|
# (default: 2048)
|
|
#LeafKeyRSABits 2048
|
|
|
|
# OpenSSL engine to activate, either ID or full path to shared library
|
|
# Equivalent to -x command line option
|
|
#OpenSSLEngine cloudhsm
|
|
|
|
# Specify default NAT engine to use.
|
|
# Equivalent to -e command line option.
|
|
#NATEngine netfilter
|
|
|
|
# Drop privileges to user.
|
|
# Equivalent to -u command line option.
|
|
# (default: nobody, if run as root)
|
|
#User _sslproxy
|
|
|
|
# Drop privileges to group.
|
|
# Equivalent to -m command line option.
|
|
# (default: primary group of user)
|
|
#Group _sslproxy
|
|
|
|
# chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)).
|
|
# Equivalent to -j command line option.
|
|
#Chroot /var/run/sslproxy
|
|
|
|
# Write pid to file.
|
|
# Equivalent to -p command line option.
|
|
# (default: no pid file)
|
|
PidFile /var/run/sslproxy.pid
|
|
|
|
# Connect log: log one line summary per connection to logfile.
|
|
# Equivalent to -l command line option.
|
|
#ConnectLog /var/log/sslproxy/connect.log
|
|
|
|
# Content log: full data to file or named pipe
|
|
# (excludes ContentLogDir/ContentLogPathSpec).
|
|
# Equivalent to -L command line option.
|
|
#ContentLog /var/log/sslproxy/content.log
|
|
|
|
# Content log: full data to separate files in dir
|
|
# (excludes ContentLog/ContentLogPathSpec).
|
|
# Equivalent to -S command line option.
|
|
#ContentLogDir /var/log/sslproxy/content
|
|
|
|
# Content log: full data to sep files with % subst
|
|
# (excludes ContentLog/ContentLogDir).
|
|
# Equivalent to -F command line option.
|
|
#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log
|
|
|
|
# Look up local process owning each connection for logging.
|
|
# Equivalent to -i command line option.
|
|
#LogProcInfo yes
|
|
|
|
# Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec).
|
|
# Equivalent to -X command line option.
|
|
#PcapLog /var/log/sslproxy/content.pcap
|
|
|
|
# Pcap log: packets to separate files in dir
|
|
# (excludes PcapLog/PcapLogPathSpec).
|
|
# Equivalent to -Y command line option.
|
|
#PcapLogDir /var/log/sslproxy/pcap
|
|
|
|
# Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir).
|
|
# Equivalent to -y command line option.
|
|
#PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap
|
|
|
|
# Mirror packets to interface.
|
|
# Equivalent to -I command line option.
|
|
#MirrorIf lo
|
|
|
|
# Mirror packets to target address (used with MirrorIf).
|
|
# Equivalent to -T command line option. Leave commented if the target is
|
|
# irrelevant (e.g. mirror to dummy device)
|
|
#MirrorTarget 192.0.2.1
|
|
|
|
# Log master keys to logfile in SSLKEYLOGFILE format.
|
|
# Equivalent to -M command line option.
|
|
#MasterKeyLog /var/log/sslproxy/masterkeys.log
|
|
|
|
# Daemon mode: run in background, log error messages to syslog.
|
|
# Equivalent to -d command line option.
|
|
Daemon yes
|
|
|
|
# Debug mode: run in foreground, log debug messages on stderr.
|
|
# Equivalent to -D command line option.
|
|
#Debug yes
|
|
|
|
# Verbose debug level
|
|
#DebugLevel 4
|
|
|
|
# Close connections after this many seconds of idle time
|
|
ConnIdleTimeout 120
|
|
|
|
# Check for expired connections every this many seconds
|
|
ExpiredConnCheckPeriod 10
|
|
|
|
# Log statistics to syslog
|
|
# Equivalent to -J command line option.
|
|
LogStats yes
|
|
|
|
# Log statistics every this many ExpiredConnCheckPeriod periods
|
|
StatsPeriod 1
|
|
|
|
# Remove HTTP header line for Accept-Encoding
|
|
RemoveHTTPAcceptEncoding no
|
|
|
|
# Remove HTTP header line for Referer
|
|
RemoveHTTPReferer yes
|
|
|
|
# Verify peer using default certificates
|
|
VerifyPeer yes
|
|
|
|
# When disabled, never add the SNI to forged certificates, even if the SNI
|
|
# provided by the client does not match the server certificate's CN/SAN.
|
|
# Helps pass the wrong.host test at https://badssl.com.
|
|
AllowWrongHost no
|
|
|
|
# Require authentication for users to use SSLproxy
|
|
#UserAuth no
|
|
|
|
# Path to user db file
|
|
#UserDBPath /var/db/users.db
|
|
|
|
# Time users out after this many seconds of idle time
|
|
#UserTimeout 300
|
|
|
|
# Redirect URL for users to log in to the system
|
|
#UserAuthURL https://192.168.0.1/userdblogin.php
|
|
|
|
# Comma separated list of users diverted by all proxyspecs
|
|
# Connections from these users are diverted to listening programs.
|
|
# Users not listed in DivertUsers or PassUsers are blocked.
|
|
# Max of 50 users can be listed.
|
|
DivertUsers utmfw
|
|
|
|
# Comma separated list of users passed through by all proxyspecs
|
|
# Connections from these users are simply passed through to their original destinations,
|
|
# not diverted to listening programs.
|
|
# Users not listed in DivertUsers or PassUsers are blocked.
|
|
# Max of 50 users can be listed.
|
|
PassUsers admin
|
|
|
|
# Validate proxy spec protocols
|
|
#ValidateProto no
|
|
|
|
# Max HTTP header size in bytes for protocol validation
|
|
#MaxHTTPHeaderSize 8192
|
|
|
|
# Set open files limit, use 50-10000
|
|
#OpenFilesLimit 1024
|
|
|
|
# Set divert or split mode of operation
|
|
# Not equivalent to the command line -n option.
|
|
# Applied to the proxyspecs defined after it, and structured proxyspecs can override it.
|
|
# Note that if the arg is not yes|no, this is assumed to be a Divert filter rule.
|
|
# (default: yes)
|
|
#Divert yes
|
|
|
|
# Passthrough sites
|
|
# The PassSite option is a special form of Pass filter rule
|
|
# PassSite rules can be written as Pass filter rules, see filter rule examples
|
|
# PassSite rules will be deprecated in favor of filter rules in the future
|
|
# site[*] [(clientaddr|user|*) [description desc]]
|
|
#PassSite example.com
|
|
#PassSite example.com 192.168.0.1
|
|
#PassSite example.com soner
|
|
#PassSite *.google.com * android
|
|
#PassSite .fbcdn.net* soner android
|
|
|
|
# Load configuration from an include file
|
|
# Recursive include files are not allowed. The Include option cannot be used in
|
|
# include files.
|
|
#Include /etc/sslproxy/filterrules.conf
|
|
#Include /etc/sslproxy/proxyspecs.conf
|
|
|
|
# Define macro to be used in filtering rules. Macro names must start with a $
|
|
# char. The macro name must be followed by words separated with spaces.
|
|
# Recursive macro definitions are not allowed.
|
|
#Define $macro value1 value2
|
|
|
|
# One line filtering rules
|
|
#(Divert|Split|Pass|Block|Match)
|
|
# ([from (
|
|
# user (username[*]|$macro|*) [desc (desc[*]|$macro|*)]|
|
|
# desc (desc[*]|$macro|*)|
|
|
# ip (clientip[*]|$macro|*)|
|
|
# *)]
|
|
# [to (
|
|
# (sni (servername[*]|$macro|*)|
|
|
# cn (commonname[*]|$macro|*)|
|
|
# host (host[*]|$macro|*)|
|
|
# uri (uri[*]|$macro|*)|
|
|
# ip (serverip[*]|$macro|*)) [port (serverport[*]|$macro|*)]|
|
|
# port (serverport[*]|$macro|*)|
|
|
# *)]
|
|
# [log ([[!]connect] [[!]master] [[!]cert]
|
|
# [[!]content] [[!]pcap] [[!]mirror] [$macro]|[!]*)]
|
|
# |*) [# comment]
|
|
#
|
|
# PassSite example.com is equivalent to the following two Pass rules:
|
|
# Pass to sni example.com
|
|
# Pass to cn example.com
|
|
#
|
|
#Divert from ip 192.168.0.1 to sni example.com
|
|
#Split from user soner to sni example.com log content
|
|
#Pass from user * desc android to sni *.google.com
|
|
#Block from user soner desc android to cn .fbcdn.net*
|
|
|
|
# Structured filtering rules
|
|
#FilterRule {
|
|
# Action (Divert|Split|Pass|Block|Match)
|
|
#
|
|
# # From
|
|
# User (username[*]|$macro|*) # inline
|
|
# Desc (desc[*]|$macro|*) # comments
|
|
# SrcIp (clientip[*]|$macro|*) # allowed
|
|
#
|
|
# # To
|
|
# SNI (servername[*]|$macro|*)
|
|
# CN (commonname[*]|$macro|*)
|
|
# Host (host[*]|$macro|*)
|
|
# URI (uri[*]|$macro|*)
|
|
# DstIp (serverip[*]|$macro|*)
|
|
# DstPort (serverport[*]|$macro|*)
|
|
#
|
|
# # Multiple Log lines allowed
|
|
# Log ([[!]connect] [[!]master] [[!]cert]
|
|
# [[!]content] [[!]pcap] [[!]mirror] [$macro]|[!]*)
|
|
#
|
|
# ReconnectSSL (yes|no)
|
|
#
|
|
# # Connection options
|
|
# DenyOCSP (yes|no)
|
|
# Passthrough (yes|no)
|
|
# CACert ca.crt
|
|
# CAKey ca.key
|
|
# ClientCert client.crt
|
|
# ClientKey client.key
|
|
# CAChain chain.crt
|
|
# LeafCRLURL http://example.com/example.crl
|
|
# DHGroupParams dh.pem
|
|
# ECDHCurve prime256v1
|
|
# SSLCompression (yes|no)
|
|
# ForceSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
|
|
# DisableSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
|
|
# EnableSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
|
|
# MinSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
|
|
# MaxSSLProto (ssl2|ssl3|tls10|tls11|tls12|tls13)
|
|
# Ciphers MEDIUM:HIGH
|
|
# CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
|
|
# RemoveHTTPAcceptEncoding (yes|no)
|
|
# RemoveHTTPReferer (yes|no)
|
|
# VerifyPeer (yes|no)
|
|
# AllowWrongHost (yes|no)
|
|
# UserAuth (yes|no)
|
|
# UserTimeout 300
|
|
# UserAuthURL https://192.168.0.1/userdblogin.php
|
|
# ValidateProto (yes|no)
|
|
# MaxHTTPHeaderSize 8192
|
|
#}
|
|
|
|
# One line proxy specifications
|
|
# type listenaddr+port up:utmport [ua:utmaddr ra:returnaddr]
|
|
#ProxySpec https 127.0.0.1 8443 up:8080 [ua:127.0.0.1 ra:127.0.0.1]
|
|
ProxySpec https 127.0.0.1 8443 up:8080
|
|
ProxySpec pop3s 127.0.0.1 8995 up:8110
|
|
ProxySpec smtps 127.0.0.1 8465 up:9199
|
|
# split mode
|
|
ProxySpec http 127.0.0.1 8081
|
|
|
|
# Structured proxy specifications
|
|
# Global config is cloned into all proxyspecs first
|
|
# Each proxyspec can override its cloned global config
|
|
ProxySpec {
|
|
Proto https
|
|
|
|
# Listen address
|
|
Addr 127.0.0.1
|
|
# Listen port
|
|
Port 8444
|
|
|
|
# Set divert or split mode for proxyspec
|
|
#Divert yes
|
|
|
|
# Divert address defaults to 127.0.0.1, if not specified
|
|
# Equivalent to ua
|
|
DivertAddr 127.0.0.1
|
|
# Equivalent to up
|
|
DivertPort 8080
|
|
|
|
# Return address defaults to 127.0.0.1, if not specified
|
|
# Equivalent to ra
|
|
ReturnAddr 127.0.0.1
|
|
|
|
# Specify nat, sni, or target config
|
|
#NatEngine netfilter
|
|
#SNIPort 443
|
|
#TargetAddr 127.0.0.1
|
|
#TargetPort 9443
|
|
|
|
DenyOCSP yes
|
|
Passthrough no
|
|
|
|
# Proxyspec specific SSL/TLS config, overrides the cloned global config
|
|
#CACert ca.crt
|
|
#CAKey ca.key
|
|
#ClientCert client.crt
|
|
#ClientKey client.key
|
|
#CAChain chain.crt
|
|
#DHGroupParams dh.pem
|
|
#ECDHCurve prime256v1
|
|
#SSLCompression no
|
|
#ForceSSLProto tls12
|
|
#DisableSSLProto tls10
|
|
#EnableSSLProto tls10
|
|
#MinSSLProto tls10
|
|
#MaxSSLProto tls13
|
|
#Ciphers MEDIUM:HIGH
|
|
#CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
|
|
|
|
RemoveHTTPAcceptEncoding no
|
|
RemoveHTTPReferer yes
|
|
VerifyPeer yes
|
|
|
|
UserAuth yes
|
|
UserTimeout 300
|
|
UserAuthURL https://192.168.0.1/userdblogin.php
|
|
# Comma separated list of users diverted by this proxyspec, overrides the cloned global list
|
|
DivertUsers utmfw
|
|
# Comma separated list of users passed through by this proxyspec, overrides the cloned global list
|
|
PassUsers admin
|
|
|
|
ValidateProto yes
|
|
# Proxyspec specific passsites are appended to the cloned global passsites
|
|
PassSite example2.com
|
|
|
|
Define $admins soner admin
|
|
Pass from user $admins desc android to cn .fbcdn.net*
|
|
# Structured version of one line filtering rule above
|
|
FilterRule {
|
|
Action Pass
|
|
User $admins
|
|
Desc android
|
|
CN .fbcdn.net*
|
|
}
|
|
}
|