Commit 1dbbd263 authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner

(proxy) work in progress ssl-bump

(cherry picked from commit 92883b23)
parent 0b1a0f4b
...@@ -202,7 +202,7 @@ ...@@ -202,7 +202,7 @@
<type>checkbox</type> <type>checkbox</type>
<help><![CDATA[ <help><![CDATA[
Enable sslbump mode, Enable sslbump mode,
which makes the proxy act like a man in the middle between the internet and your clients. which makes the proxy act as a man in the middle between the internet and your clients.
Be aware of the security implications before enabling this option. Be aware of the security implications before enabling this option.
]]></help> ]]></help>
</field> </field>
...@@ -224,6 +224,20 @@ ...@@ -224,6 +224,20 @@
Create a list of sites which may not be inspected, for example bank sites. Create a list of sites which may not be inspected, for example bank sites.
]]></help> ]]></help>
</field> </field>
<field>
<id>proxy.forward.ssl_crtd_storage_max_size</id>
<label>SSL cache size</label>
<type>text</type>
<help><![CDATA[Enter the maximum size (in MB) to use for SSL certificates.]]></help>
<advanced>true</advanced>
</field>
<field>
<id>proxy.forward.sslcrtd_children</id>
<label>SSL cert workers</label>
<type>text</type>
<help><![CDATA[Enter the number of ssl certificate workers to use (sslcrtd_children).]]></help>
<advanced>true</advanced>
</field>
<field> <field>
<id>proxy.forward.addACLforInterfaceSubnets</id> <id>proxy.forward.addACLforInterfaceSubnets</id>
<label>Allow interface subnets</label> <label>Allow interface subnets</label>
......
...@@ -173,6 +173,20 @@ ...@@ -173,6 +173,20 @@
<mask>/^([a-zA-Z0-9.:,]){0,}/</mask> <mask>/^([a-zA-Z0-9.:,]){0,}/</mask>
<ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage> <ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
</sslnobumpsites> </sslnobumpsites>
<ssl_crtd_storage_max_size type="IntegerField">
<Required>Y</Required>
<default>4</default>
<MinimumValue>1</MinimumValue>
<MaximumValue>65535</MaximumValue>
<ValidationMessage>max size needs to be an integer value between 1 and 65535</ValidationMessage>
</ssl_crtd_storage_max_size>
<sslcrtd_children type="IntegerField">
<Required>Y</Required>
<default>5</default>
<MinimumValue>1</MinimumValue>
<MaximumValue>32</MaximumValue>
<ValidationMessage>the number of sslrtd children needs to be an integer value between 1 and 32</ValidationMessage>
</sslcrtd_children>
<ftpInterfaces type="InterfaceField"> <ftpInterfaces type="InterfaceField">
<Required>N</Required> <Required>N</Required>
<multiple>Y</multiple> <multiple>Y</multiple>
......
#!/usr/local/bin/php
<?php
/**
* Copyright (C) 2016 Deciso B.V.
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
*/
// use legacy code to generate certs and ca's
require_once("config.inc");
require_once("certs.inc");
require_once("legacy_bindings.inc");
use OPNsense\Core\Config;
global $config;
// Our template systems stores the ca certid into /usr/local/etc/squid/ca.pem.id
// Which makes it easier for the setup script to detect cert changes (which should flush the stored cache)
if (is_file('/usr/local/etc/squid/ca.pem.id')) {
$cert_refid = trim(file_get_contents('/usr/local/etc/squid/ca.pem.id'));
if (!empty($config['ca'])) {
foreach ($config['ca'] as $ca) {
if (isset($ca['refid']) && $ca['refid'] == $cert_refid) {
$pem_contents = '';
$pem_contents .= base64_decode($ca['prv']);
$pem_contents .= base64_decode($ca['crt']);
$pem_contents .= ca_chain($ca);
echo "certificate generated\n";
file_put_contents('/var/squid/ssl/ca.pem', $pem_contents);
}
}
}
}
...@@ -20,3 +20,6 @@ if [ ! -d /var/squid/ssl_crtd ]; then ...@@ -20,3 +20,6 @@ if [ ! -d /var/squid/ssl_crtd ]; then
chown -R squid:squid /var/squid/ssl_crtd chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd chmod -R 750 /var/squid/ssl_crtd
fi fi
# generate SSL bump certificate
/usr/local/opnsense/scripts/proxy/generate_cert.php
...@@ -3,3 +3,4 @@ squid.conf:/usr/local/etc/squid/squid.conf ...@@ -3,3 +3,4 @@ squid.conf:/usr/local/etc/squid/squid.conf
newsyslog.conf:/etc/newsyslog.conf.d/squid newsyslog.conf:/etc/newsyslog.conf.d/squid
externalACLs.conf:/usr/local/etc/squid/externalACLs.conf externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
ca.pem.id:/usr/local/etc/squid/ca.pem.id
{% if helpers.exists('OPNsense.proxy.forward.sslcertificate') %}
{{ OPNsense.proxy.forward.sslcertificate }}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.sslnobumpsites') and OPNsense.proxy.forward.sslnobumpsites != '' %}
{% for line in OPNsense.proxy.forward.sslnobumpsites.split(',') %}
{{ line }}
{% endfor %}
{% endif %}
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
{# wrap http_port ssl bump configuration for reuse #} {# wrap http_port ssl bump configuration for reuse #}
{% macro sslbump_httpconfig() -%} {% macro sslbump_httpconfig() -%}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=16MB generate-host-certificates=on ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
{% endif %} {% endif %}
{%- endmacro %} {%- endmacro %}
...@@ -36,19 +36,22 @@ http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_http ...@@ -36,19 +36,22 @@ http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_http
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
# setup ssl re-cert # setup ssl re-cert
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M 4MB sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M {{ OPNsense.proxy.forward.ssl_crtd_storage_max_size|default('4') }}MB
sslcrtd_children 5 sslcrtd_children {{ OPNsense.proxy.forward.sslcrtd_children|default('5') }}
# setup ssl bump acl's # setup ssl bump acl's
acl bump_step1 at_step SslBump1 acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2 acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3 acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
# configure bump # configure bump
ssl_bump peek bump_step1 all ssl_bump peek bump_step1 all
ssl_bump splice bump_nobumpsites
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump bump ssl_bump bump
{% endif %} {% endif %}
acl ftp proto FTP acl ftp proto FTP
http_access allow ftp http_access allow ftp
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment