Commit 091601ae authored by Mikhail Morev's avatar Mikhail Morev Committed by Franco Fichtner

web proxy: update for non-transparent SSL bumping

(cherry picked from commit f3c35f3f)
(cherry picked from commit 1126922b)
(cherry picked from commit c9e1423f)
(cherry picked from commit 53e4be27)
(cherry picked from commit 2e707046)
(cherry picked from commit cdedd9a5)
(cherry picked from commit 1a76aa95)
parent b644925a
......@@ -223,23 +223,27 @@
</field>
<field>
<id>proxy.forward.sslbump</id>
<label>Enable SSL mode</label>
<label>Enable SSL inspection</label>
<type>checkbox</type>
<help><![CDATA[
Enable sslbump mode,
which makes the proxy act as a man in the middle between the internet and your clients.<br/>
Enable SSL inspection mode,
which allows to log HTTPS connections information, such as requested URL and/or
make the proxy act as a man in the middle between the internet and your clients.<br/>
Be aware of the security implications before enabling this option.
<br/><br/>
Transparent HTTP proxy needs to be enabled and you need nat rules to reflect your traffic
for this feature to work.<br/>
<a href="/firewall_nat_edit.php?template=transparent_proxy&https=1"> Add a new firewall rule </a>
If you plan to use transparent HTTPS mode, you need nat rules to reflect your traffic.<br/>
<a href="/firewall_nat_edit.php?template=transparent_proxy&https=1">Add a new firewall rule </a>
]]></help>
</field>
<field>
<id>proxy.forward.sslurlonly</id>
<label>SSL Domain/IP only</label>
<label>Log SNI information only</label>
<type>checkbox</type>
<help>Do not filter content, only domains and addresses</help>
<help><![CDATA[
Do not decode and/or filter SSL content, only log requested domains and IP addresses.<br/>
Some old servers may not provide SNI, so their addresses will not be indicated.<br/>Get more information about
<a href="https://wikipedia.org/wiki/Server_Name_Indication" target="_blank">Server Name Indication</a>.
]]></help>
</field>
<field>
<id>proxy.forward.sslbumpport</id>
......
......@@ -3,38 +3,47 @@
# Do not edit this file manually.
#
{# wrap http_port ssl bump configuration for reuse #}
{% macro sslbump_httpsconfig(network, tags='') -%}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
https_port {{network}}:{{OPNsense.proxy.forward.sslbumpport|default('3129')}} {{tags}} ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
{% endif %}
{# wrap listener configuration for reuse #}
{% macro listener_config(network, port='3129', tags='', protocol='') -%}
{% if protocol == 'ssl' %}
{% set listener_type = 'https_port' %}
{% else %}
{% set listener_type = 'http_port' %}
{% endif %}
{% set sslparams = '' %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
{% set sslparams = 'ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on' %}
{% endif %}
{{listener_type}} {{network}}:{{port}} {{tags}} {{sslparams}}
{%- endmacro %}
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
# transparent mode, listen on localhost
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('127.0.0.1', 'intercept') }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('[::1]', 'intercept') }}
# Setup transparent mode listeners on loopback interfaces
{{ listener_config('127.0.0.1', OPNsense.proxy.forward.port, 'intercept') }}
{{ listener_config('[::1]', OPNsense.proxy.forward.port, 'intercept') }}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
{{ listener_config('127.0.0.1', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }}
{{ listener_config('[::1]', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }}
{% endif %}
{% endif %}
# Setup listen configuration
# Setup regular listeners configuration
{% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
{% endif %}
{% endfor %}
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
{{ listener_config(intf_item.ipaddr, OPNsense.proxy.forward.port) }}
{% endif %}
{% endfor %}
{# virtual ip's #}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
{{ listener_config(intf_item.subnet, OPNsense.proxy.forward.port) }}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment