Commit 0b1a0f4b authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner

(proxy) work in progress sslbum, some work to be done....

(cherry picked from commit 7d18504c)
parent 5d8d0781
......@@ -196,6 +196,34 @@
<a href="/firewall_nat_edit.php?template=transparant_proxy"> add a new firewall rule </a>
]]></help>
</field>
<field>
<id>proxy.forward.sslbump</id>
<label>Enable SSL mode</label>
<type>checkbox</type>
<help><![CDATA[
Enable sslbump mode,
which makes the proxy act like a man in the middle between the internet and your clients.
Be aware of the security implications before enabling this option.
]]></help>
</field>
<field>
<id>proxy.forward.sslcertificate</id>
<label>CA to use</label>
<type>dropdown</type>
<help><![CDATA[
Select a Certificate Authority to use.
]]></help>
</field>
<field>
<id>proxy.forward.sslnobumpsites</id>
<label>SSL no bump sites</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help><![CDATA[
Create a list of sites which may not be inspected, for example bank sites.
]]></help>
</field>
<field>
<id>proxy.forward.addACLforInterfaceSubnets</id>
<label>Allow interface subnets</label>
......
......@@ -159,6 +159,20 @@
<ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
</port>
<sslbump type="BooleanField">
<default>0</default>
<Required>Y</Required>
</sslbump>
<sslcertificate type="CertificateField">
<Required>N</Required>
<Type>ca</Type>
<ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
</sslcertificate>
<sslnobumpsites type="CSVListField">
<Required>N</Required>
<mask>/^([a-zA-Z0-9.:,]){0,}/</mask>
<ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
</sslnobumpsites>
<ftpInterfaces type="InterfaceField">
<Required>N</Required>
<multiple>Y</multiple>
......
#!/bin/sh
SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/logs"
SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/ssl /var/squid/logs"
for SQUID_DIR in ${SQUID_DIRS}; do
mkdir -p ${SQUID_DIR}
......@@ -8,4 +8,15 @@ for SQUID_DIR in ${SQUID_DIRS}; do
chmod -R 750 ${SQUID_DIR}
done
/usr/sbin/pw groupmod proxy -m squid
/usr/local/sbin/squid -z
/usr/local/sbin/squid -z > /dev/null 2>&1
# wait a moment before exit, running squid -z and squid start without time between them sometimes results in
# some vague errors.
sleep 1
# create ssl certificate store, in case sslbump is enabled we need this
if [ ! -d /var/squid/ssl_crtd ]; then
/usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd
fi
......@@ -2,3 +2,4 @@ rc.conf.d:/etc/rc.conf.d/squid
squid.conf:/usr/local/etc/squid/squid.conf
newsyslog.conf:/etc/newsyslog.conf.d/squid
externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
......@@ -2,10 +2,17 @@
# Automatic generated configuration for Squid.
# Do not edit this file manually.
{# wrap http_port ssl bump configuration for reuse #}
{% macro sslbump_httpconfig() -%}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=16MB generate-host-certificates=on
{% endif %}
{%- endmacro %}
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
# transparent mode, listen on localhost
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
{% endif %}
# Setup listen configuration
......@@ -13,20 +20,35 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
{% endif %}
{% endfor %}
{# virtual ip's #}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
# setup ssl re-cert
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M 4MB
sslcrtd_children 5
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
# configure bump
ssl_bump peek bump_step1 all
ssl_bump bump
{% endif %}
acl ftp proto FTP
http_access allow ftp
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment