Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
1dbbd263
Commit
1dbbd263
authored
Mar 21, 2016
by
Ad Schellevis
Committed by
Franco Fichtner
Apr 03, 2016
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
(proxy) work in progress ssl-bump
(cherry picked from commit
92883b23
)
parent
0b1a0f4b
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
103 additions
and
5 deletions
+103
-5
main.xml
...pnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+15
-1
Proxy.xml
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+14
-0
generate_cert.php
src/opnsense/scripts/proxy/generate_cert.php
+55
-0
setup.sh
src/opnsense/scripts/proxy/setup.sh
+3
-0
+TARGETS
src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
+1
-0
ca.pem.id
src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id
+3
-0
nobumpsites.acl
...opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl
+5
-0
squid.conf
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+7
-4
No files found.
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
View file @
1dbbd263
...
...
@@ -202,7 +202,7 @@
<type>
checkbox
</type>
<help>
<![CDATA[
Enable sslbump mode,
which makes the proxy act
like
a man in the middle between the internet and your clients.
which makes the proxy act
as
a man in the middle between the internet and your clients.
Be aware of the security implications before enabling this option.
]]>
</help>
</field>
...
...
@@ -224,6 +224,20 @@
Create a list of sites which may not be inspected, for example bank sites.
]]>
</help>
</field>
<field>
<id>
proxy.forward.ssl_crtd_storage_max_size
</id>
<label>
SSL cache size
</label>
<type>
text
</type>
<help>
<![CDATA[Enter the maximum size (in MB) to use for SSL certificates.]]>
</help>
<advanced>
true
</advanced>
</field>
<field>
<id>
proxy.forward.sslcrtd_children
</id>
<label>
SSL cert workers
</label>
<type>
text
</type>
<help>
<![CDATA[Enter the number of ssl certificate workers to use (sslcrtd_children).]]>
</help>
<advanced>
true
</advanced>
</field>
<field>
<id>
proxy.forward.addACLforInterfaceSubnets
</id>
<label>
Allow interface subnets
</label>
...
...
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
View file @
1dbbd263
...
...
@@ -173,6 +173,20 @@
<mask>
/^([a-zA-Z0-9.:,]){0,}/
</mask>
<ValidationMessage>
Please enter ip addresses or domain names here
</ValidationMessage>
</sslnobumpsites>
<ssl_crtd_storage_max_size
type=
"IntegerField"
>
<Required>
Y
</Required>
<default>
4
</default>
<MinimumValue>
1
</MinimumValue>
<MaximumValue>
65535
</MaximumValue>
<ValidationMessage>
max size needs to be an integer value between 1 and 65535
</ValidationMessage>
</ssl_crtd_storage_max_size>
<sslcrtd_children
type=
"IntegerField"
>
<Required>
Y
</Required>
<default>
5
</default>
<MinimumValue>
1
</MinimumValue>
<MaximumValue>
32
</MaximumValue>
<ValidationMessage>
the number of sslrtd children needs to be an integer value between 1 and 32
</ValidationMessage>
</sslcrtd_children>
<ftpInterfaces
type=
"InterfaceField"
>
<Required>
N
</Required>
<multiple>
Y
</multiple>
...
...
src/opnsense/scripts/proxy/generate_cert.php
0 → 100755
View file @
1dbbd263
#!/usr/local/bin/php
<?php
/**
* Copyright (C) 2016 Deciso B.V.
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
// use legacy code to generate certs and ca's
require_once
(
"config.inc"
);
require_once
(
"certs.inc"
);
require_once
(
"legacy_bindings.inc"
);
use
OPNsense\Core\Config
;
global
$config
;
// Our template systems stores the ca certid into /usr/local/etc/squid/ca.pem.id
// Which makes it easier for the setup script to detect cert changes (which should flush the stored cache)
if
(
is_file
(
'/usr/local/etc/squid/ca.pem.id'
))
{
$cert_refid
=
trim
(
file_get_contents
(
'/usr/local/etc/squid/ca.pem.id'
));
if
(
!
empty
(
$config
[
'ca'
]))
{
foreach
(
$config
[
'ca'
]
as
$ca
)
{
if
(
isset
(
$ca
[
'refid'
])
&&
$ca
[
'refid'
]
==
$cert_refid
)
{
$pem_contents
=
''
;
$pem_contents
.=
base64_decode
(
$ca
[
'prv'
]);
$pem_contents
.=
base64_decode
(
$ca
[
'crt'
]);
$pem_contents
.=
ca_chain
(
$ca
);
echo
"certificate generated
\n
"
;
file_put_contents
(
'/var/squid/ssl/ca.pem'
,
$pem_contents
);
}
}
}
}
src/opnsense/scripts/proxy/setup.sh
View file @
1dbbd263
...
...
@@ -20,3 +20,6 @@ if [ ! -d /var/squid/ssl_crtd ]; then
chown
-R
squid:squid /var/squid/ssl_crtd
chmod
-R
750 /var/squid/ssl_crtd
fi
# generate SSL bump certificate
/usr/local/opnsense/scripts/proxy/generate_cert.php
src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
View file @
1dbbd263
...
...
@@ -3,3 +3,4 @@ squid.conf:/usr/local/etc/squid/squid.conf
newsyslog.conf:/etc/newsyslog.conf.d/squid
externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
ca.pem.id:/usr/local/etc/squid/ca.pem.id
src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id
0 → 100644
View file @
1dbbd263
{% if helpers.exists('OPNsense.proxy.forward.sslcertificate') %}
{{ OPNsense.proxy.forward.sslcertificate }}
{% endif %}
src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl
0 → 100644
View file @
1dbbd263
{% if helpers.exists('OPNsense.proxy.forward.sslnobumpsites') and OPNsense.proxy.forward.sslnobumpsites != '' %}
{% for line in OPNsense.proxy.forward.sslnobumpsites.split(',') %}
{{ line }}
{% endfor %}
{% endif %}
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
View file @
1dbbd263
...
...
@@ -5,7 +5,7 @@
{
# wrap http_port ssl bump configuration for reuse #}
{%
macro
sslbump_httpconfig
() -%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.sslbump'
)
and
OPNsense
.
proxy
.
forward
.
sslbump
==
'1'
%}
ssl
-
bump
cert
=/
var
/
squid
/
ssl
/
ca
.
pem
dynamic_cert_mem_cache_size
=
1
6
MB
generate
-
host
-
certificates
=
on
ssl
-
bump
cert
=/
var
/
squid
/
ssl
/
ca
.
pem
dynamic_cert_mem_cache_size
=
1
0
MB
generate
-
host
-
certificates
=
on
{%
endif
%}
{%-
endmacro
%}
...
...
@@ -36,19 +36,22 @@ http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_http
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.sslbump'
)
and
OPNsense
.
proxy
.
forward
.
sslbump
==
'1'
%}
# setup ssl re-cert
sslcrtd_program
/
usr
/
local
/
libexec
/
squid
/
ssl_crtd
-
s
/
var
/
squid
/
ssl_crtd
-
M
4
MB
sslcrtd_children
5
sslcrtd_program
/
usr
/
local
/
libexec
/
squid
/
ssl_crtd
-
s
/
var
/
squid
/
ssl_crtd
-
M
{{
OPNsense
.
proxy
.
forward
.
ssl_crtd_storage_max_size
|
default
(
'4'
) }}
MB
sslcrtd_children
{{
OPNsense
.
proxy
.
forward
.
sslcrtd_children
|
default
(
'5'
) }}
# setup ssl bump acl's
acl
bump_step1
at_step
SslBump1
acl
bump_step2
at_step
SslBump2
acl
bump_step3
at_step
SslBump3
acl
bump_nobumpsites
ssl
::
server_name
"/usr/local/etc/squid/nobumpsites.acl"
# configure bump
ssl_bump
peek
bump_step1
all
ssl_bump
splice
bump_nobumpsites
ssl_bump
peek
bump_step2
bump_nobumpsites
ssl_bump
splice
bump_step3
bump_nobumpsites
ssl_bump
bump
{%
endif
%}
acl
ftp
proto
FTP
http_access
allow
ftp
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment