Commit 65147668 authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner

(proxy) finish sslbump

(cherry picked from commit 048d5be4)
parent 8258d832
......@@ -202,10 +202,19 @@
<type>checkbox</type>
<help><![CDATA[
Enable sslbump mode,
which makes the proxy act as a man in the middle between the internet and your clients.
which makes the proxy act as a man in the middle between the internet and your clients.<br/>
Be aware of the security implications before enabling this option.
<br/><br/>
Transparent HTTP proxy needs to be enabled and you need nat rules to reflect your traffic
for this feature to work.
]]></help>
</field>
<field>
<id>proxy.forward.sslbumpport</id>
<label>SSL Proxy port</label>
<type>text</type>
<help><![CDATA[The port the ssl proxy service will listen to.]]></help>
</field>
<field>
<id>proxy.forward.sslcertificate</id>
<label>CA to use</label>
......@@ -221,7 +230,8 @@
<style>tokenize</style>
<allownew>true</allownew>
<help><![CDATA[
Create a list of sites which may not be inspected, for example bank sites.
Create a list of sites which may not be inspected, for example bank sites.<br/>
Prefix the domain with a . to accept all subdomains (e.g. .google.com).
]]></help>
</field>
<field>
......
......@@ -159,6 +159,13 @@
<ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
</port>
<sslbumpport type="IntegerField">
<default>3129</default>
<MinimumValue>1</MinimumValue>
<MaximumValue>65535</MaximumValue>
<ValidationMessage>SSL Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
</sslbumpport>
<sslbump type="BooleanField">
<default>0</default>
<Required>Y</Required>
......
......@@ -3,9 +3,9 @@
SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/ssl /var/squid/logs"
for SQUID_DIR in ${SQUID_DIRS}; do
mkdir -p ${SQUID_DIR}
chown -R squid:squid ${SQUID_DIR}
chmod -R 750 ${SQUID_DIR}
mkdir -p ${SQUID_DIR}
chown -R squid:squid ${SQUID_DIR}
chmod -R 750 ${SQUID_DIR}
done
/usr/sbin/pw groupmod proxy -m squid
/usr/local/sbin/squid -z > /dev/null 2>&1
......@@ -14,12 +14,30 @@ done
# some vague errors.
sleep 1
# remove ssl certificate store in case the user changed the CA
if [ -f /usr/local/etc/squid/ca.pem.id ]; then
current_cert=`cat /usr/local/etc/squid/ca.pem.id`
if [ -d /var/squid/ssl_crtd ]; then
if [ -f /var/squid/ssl_crtd.id ]; then
running_cert=`cat /var/squid/ssl_crtd.id`
else
running_cert=""
fi
if [ "$current_cert" != "$running_cert" ]; then
rm -rf /var/squid/ssl_crtd
fi
fi
fi
# create ssl certificate store, in case sslbump is enabled we need this
if [ ! -d /var/squid/ssl_crtd ]; then
/usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd
/usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd
if [ -f /usr/local/etc/squid/ca.pem.id ]; then
cat /usr/local/etc/squid/ca.pem.id > /var/squid/ssl_crtd.id
fi
fi
# generate SSL bump certificate
/usr/local/opnsense/scripts/proxy/generate_cert.php
/usr/local/opnsense/scripts/proxy/generate_cert.php > /dev/null 2>&1
......@@ -3,16 +3,18 @@
# Do not edit this file manually.
{# wrap http_port ssl bump configuration for reuse #}
{% macro sslbump_httpconfig() -%}
{% macro sslbump_httpsconfig(network, tags='') -%}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port {{network}}:{{OPNsense.proxy.forward.sslbumpport|default('3129')}} {{tags}} ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
{% endif %}
{%- endmacro %}
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
# transparent mode, listen on localhost
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('127.0.0.1', 'intercept') }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('[::1]', 'intercept') }}
{% endif %}
# Setup listen configuration
......@@ -20,14 +22,14 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfi
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
{% endif %}
{% endfor %}
{# virtual ip's #}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
{% endif %}
{% endfor %}
{% endif %}
......@@ -50,6 +52,8 @@ ssl_bump splice bump_nobumpsites
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump bump
sslproxy_cert_error deny all
{% endif %}
acl ftp proto FTP
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment