Skip to content

O
OpnSense
Commit 0b1a0f4b authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner
Browse files
Options

(proxy) work in progress sslbum, some work to be done.... 

(cherry picked from commit 7d18504c)
parent 5d8d0781
Show whitespace changes
Inline Side-by-side
Showing with 82 additions and 6 deletions
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
View file @ 0b1a0f4b
...@@ -196,6 +196,34 @@ ...@@ -196,6 +196,34 @@
<a href="/firewall_nat_edit.php?template=transparant_proxy"> add a new firewall rule </a> <a href="/firewall_nat_edit.php?template=transparant_proxy"> add a new firewall rule </a>
]]></help> ]]></help>
</field> </field>
<field>
<id>proxy.forward.sslbump</id>
<label>Enable SSL mode</label>
<type>checkbox</type>
<help><![CDATA[
Enable sslbump mode,
which makes the proxy act like a man in the middle between the internet and your clients.
Be aware of the security implications before enabling this option.
]]></help>
</field>
<field>
<id>proxy.forward.sslcertificate</id>
<label>CA to use</label>
<type>dropdown</type>
<help><![CDATA[
Select a Certificate Authority to use.
]]></help>
</field>
<field>
<id>proxy.forward.sslnobumpsites</id>
<label>SSL no bump sites</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help><![CDATA[
Create a list of sites which may not be inspected, for example bank sites.
]]></help>
</field>
<field> <field>
<id>proxy.forward.addACLforInterfaceSubnets</id> <id>proxy.forward.addACLforInterfaceSubnets</id>
<label>Allow interface subnets</label> <label>Allow interface subnets</label>
......
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
View file @ 0b1a0f4b
...@@ -159,6 +159,20 @@ ...@@ -159,6 +159,20 @@
<ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage> <ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required> <Required>Y</Required>
</port> </port>
<sslbump type="BooleanField">
<default>0</default>
<Required>Y</Required>
</sslbump>
<sslcertificate type="CertificateField">
<Required>N</Required>
<Type>ca</Type>
<ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
</sslcertificate>
<sslnobumpsites type="CSVListField">
<Required>N</Required>
<mask>/^([a-zA-Z0-9.:,]){0,}/</mask>
<ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
</sslnobumpsites>
<ftpInterfaces type="InterfaceField"> <ftpInterfaces type="InterfaceField">
<Required>N</Required> <Required>N</Required>
<multiple>Y</multiple> <multiple>Y</multiple>
......
src/opnsense/scripts/proxy/setup.sh
View file @ 0b1a0f4b
#!/bin/sh #!/bin/sh
SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/logs" SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/ssl /var/squid/logs"
for SQUID_DIR in ${SQUID_DIRS}; do for SQUID_DIR in ${SQUID_DIRS}; do
mkdir -p ${SQUID_DIR} mkdir -p ${SQUID_DIR}
...@@ -8,4 +8,15 @@ for SQUID_DIR in ${SQUID_DIRS}; do ...@@ -8,4 +8,15 @@ for SQUID_DIR in ${SQUID_DIRS}; do
chmod -R 750 ${SQUID_DIR} chmod -R 750 ${SQUID_DIR}
done done
/usr/sbin/pw groupmod proxy -m squid /usr/sbin/pw groupmod proxy -m squid
/usr/local/sbin/squid -z /usr/local/sbin/squid -z > /dev/null 2>&1
# wait a moment before exit, running squid -z and squid start without time between them sometimes results in
# some vague errors.
sleep 1
# create ssl certificate store, in case sslbump is enabled we need this
if [ ! -d /var/squid/ssl_crtd ]; then
/usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd
fi
src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
View file @ 0b1a0f4b
...@@ -2,3 +2,4 @@ rc.conf.d:/etc/rc.conf.d/squid ...@@ -2,3 +2,4 @@ rc.conf.d:/etc/rc.conf.d/squid
squid.conf:/usr/local/etc/squid/squid.conf squid.conf:/usr/local/etc/squid/squid.conf
newsyslog.conf:/etc/newsyslog.conf.d/squid newsyslog.conf:/etc/newsyslog.conf.d/squid
externalACLs.conf:/usr/local/etc/squid/externalACLs.conf externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
View file @ 0b1a0f4b
...@@ -2,10 +2,17 @@ ...@@ -2,10 +2,17 @@
# Automatic generated configuration for Squid. # Automatic generated configuration for Squid.
# Do not edit this file manually. # Do not edit this file manually.
{# wrap http_port ssl bump configuration for reuse #}
{% macro sslbump_httpconfig() -%}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=16MB generate-host-certificates=on
{% endif %}
{%- endmacro %}
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %} {% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
# transparent mode, listen on localhost # transparent mode, listen on localhost
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
{% endif %} {% endif %}
# Setup listen configuration # Setup listen configuration
...@@ -13,20 +20,35 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept ...@@ -13,20 +20,35 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %} {% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %} {% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} {% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{# virtual ip's #} {# virtual ip's #}
{% if helpers.exists('virtualip') %} {% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %} {% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} {% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
# setup ssl re-cert
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M 4MB
sslcrtd_children 5
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
# configure bump
ssl_bump peek bump_step1 all
ssl_bump bump
{% endif %}
acl ftp proto FTP acl ftp proto FTP
http_access allow ftp http_access allow ftp
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023