Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
65147668
Commit
65147668
authored
Mar 21, 2016
by
Ad Schellevis
Committed by
Franco Fichtner
Apr 03, 2016
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
(proxy) finish sslbump
(cherry picked from commit
048d5be4
)
parent
8258d832
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
54 additions
and
15 deletions
+54
-15
main.xml
...pnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+12
-2
Proxy.xml
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+7
-0
setup.sh
src/opnsense/scripts/proxy/setup.sh
+25
-7
squid.conf
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+10
-6
No files found.
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
View file @
65147668
...
...
@@ -202,10 +202,19 @@
<type>
checkbox
</type>
<help>
<![CDATA[
Enable sslbump mode,
which makes the proxy act as a man in the middle between the internet and your clients.
which makes the proxy act as a man in the middle between the internet and your clients.
<br/>
Be aware of the security implications before enabling this option.
<br/><br/>
Transparent HTTP proxy needs to be enabled and you need nat rules to reflect your traffic
for this feature to work.
]]>
</help>
</field>
<field>
<id>
proxy.forward.sslbumpport
</id>
<label>
SSL Proxy port
</label>
<type>
text
</type>
<help>
<![CDATA[The port the ssl proxy service will listen to.]]>
</help>
</field>
<field>
<id>
proxy.forward.sslcertificate
</id>
<label>
CA to use
</label>
...
...
@@ -221,7 +230,8 @@
<style>
tokenize
</style>
<allownew>
true
</allownew>
<help>
<![CDATA[
Create a list of sites which may not be inspected, for example bank sites.
Create a list of sites which may not be inspected, for example bank sites.<br/>
Prefix the domain with a . to accept all subdomains (e.g. .google.com).
]]>
</help>
</field>
<field>
...
...
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
View file @
65147668
...
...
@@ -159,6 +159,13 @@
<ValidationMessage>
Proxy port needs to be an integer value between 1 and 65535
</ValidationMessage>
<Required>
Y
</Required>
</port>
<sslbumpport
type=
"IntegerField"
>
<default>
3129
</default>
<MinimumValue>
1
</MinimumValue>
<MaximumValue>
65535
</MaximumValue>
<ValidationMessage>
SSL Proxy port needs to be an integer value between 1 and 65535
</ValidationMessage>
<Required>
Y
</Required>
</sslbumpport>
<sslbump
type=
"BooleanField"
>
<default>
0
</default>
<Required>
Y
</Required>
...
...
src/opnsense/scripts/proxy/setup.sh
View file @
65147668
...
...
@@ -3,9 +3,9 @@
SQUID_DIRS
=
"/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/ssl /var/squid/logs"
for
SQUID_DIR
in
${
SQUID_DIRS
}
;
do
mkdir
-p
${
SQUID_DIR
}
chown
-R
squid:squid
${
SQUID_DIR
}
chmod
-R
750
${
SQUID_DIR
}
mkdir
-p
${
SQUID_DIR
}
chown
-R
squid:squid
${
SQUID_DIR
}
chmod
-R
750
${
SQUID_DIR
}
done
/usr/sbin/pw groupmod proxy
-m
squid
/usr/local/sbin/squid
-z
>
/dev/null 2>&1
...
...
@@ -14,12 +14,30 @@ done
# some vague errors.
sleep
1
# remove ssl certificate store in case the user changed the CA
if
[
-f
/usr/local/etc/squid/ca.pem.id
]
;
then
current_cert
=
`
cat
/usr/local/etc/squid/ca.pem.id
`
if
[
-d
/var/squid/ssl_crtd
]
;
then
if
[
-f
/var/squid/ssl_crtd.id
]
;
then
running_cert
=
`
cat
/var/squid/ssl_crtd.id
`
else
running_cert
=
""
fi
if
[
"
$current_cert
"
!=
"
$running_cert
"
]
;
then
rm
-rf
/var/squid/ssl_crtd
fi
fi
fi
# create ssl certificate store, in case sslbump is enabled we need this
if
[
!
-d
/var/squid/ssl_crtd
]
;
then
/usr/local/libexec/squid/ssl_crtd
-c
-s
/var/squid/ssl_crtd
>
/dev/null 2>&1
chown
-R
squid:squid /var/squid/ssl_crtd
chmod
-R
750 /var/squid/ssl_crtd
/usr/local/libexec/squid/ssl_crtd
-c
-s
/var/squid/ssl_crtd
>
/dev/null 2>&1
chown
-R
squid:squid /var/squid/ssl_crtd
chmod
-R
750 /var/squid/ssl_crtd
if
[
-f
/usr/local/etc/squid/ca.pem.id
]
;
then
cat
/usr/local/etc/squid/ca.pem.id
>
/var/squid/ssl_crtd.id
fi
fi
# generate SSL bump certificate
/usr/local/opnsense/scripts/proxy/generate_cert.php
/usr/local/opnsense/scripts/proxy/generate_cert.php
>
/dev/null 2>&1
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
View file @
65147668
...
...
@@ -3,16 +3,18 @@
# Do not edit this file manually.
{
# wrap http_port ssl bump configuration for reuse #}
{%
macro
sslbump_http
config
(
) -%}
{%
macro
sslbump_http
sconfig
(
network
,
tags
=
''
) -%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.sslbump'
)
and
OPNsense
.
proxy
.
forward
.
sslbump
==
'1'
%}
ssl
-
bump
cert
=/
var
/
squid
/
ssl
/
ca
.
pem
dynamic_cert_mem_cache_size
=
10
MB
generate
-
host
-
certificates
=
on
https_port
{{
network
}}:{{
OPNsense
.
proxy
.
forward
.
sslbumpport
|
default
(
'3129'
)}} {{
tags
}}
ssl
-
bump
cert
=/
var
/
squid
/
ssl
/
ca
.
pem
dynamic_cert_mem_cache_size
=
10
MB
generate
-
host
-
certificates
=
on
{%
endif
%}
{%-
endmacro
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.transparentMode'
)
and
OPNsense
.
proxy
.
forward
.
transparentMode
==
'1'
%}
# transparent mode, listen on localhost
http_port
127
.
0
.
0
.
1
:{{
OPNsense
.
proxy
.
forward
.
port
}}
intercept
{{
sslbump_httpconfig
() }}
http_port
[::
1
]:{{
OPNsense
.
proxy
.
forward
.
port
}}
intercept
{{
sslbump_httpconfig
() }}
http_port
127
.
0
.
0
.
1
:{{
OPNsense
.
proxy
.
forward
.
port
}}
intercept
{{
sslbump_httpsconfig
(
'127.0.0.1'
,
'intercept'
) }}
http_port
[::
1
]:{{
OPNsense
.
proxy
.
forward
.
port
}}
intercept
{{
sslbump_httpsconfig
(
'[::1]'
,
'intercept'
) }}
{%
endif
%}
# Setup listen configuration
...
...
@@ -20,14 +22,14 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfi
{%
for
interface
in
OPNsense
.
proxy
.
forward
.
interfaces
.
split
(
","
) %}
{%
for
intf_key
,
intf_item
in
interfaces
.
iteritems
() %}
{%
if
intf_key
==
interface
and
intf_item
.
ipaddr
!=
'dhcp'
%}
http_port
{{
intf_item
.
ipaddr
}}:{{
OPNsense
.
proxy
.
forward
.
port
}}
{{
sslbump_httpconfig
() }}
http_port
{{
intf_item
.
ipaddr
}}:{{
OPNsense
.
proxy
.
forward
.
port
}}
{%
endif
%}
{%
endfor
%}
{
# virtual ip's #}
{%
if
helpers
.
exists
(
'virtualip'
) %}
{%
for
intf_key
,
intf_item
in
virtualip
.
iteritems
() %}
{%
if
intf_item
.
interface
==
interface
and
intf_item
.
mode
==
'ipalias'
%}
http_port
{{
intf_item
.
subnet
}}:{{
OPNsense
.
proxy
.
forward
.
port
}}
{{
sslbump_httpconfig
() }}
http_port
{{
intf_item
.
subnet
}}:{{
OPNsense
.
proxy
.
forward
.
port
}}
{%
endif
%}
{%
endfor
%}
{%
endif
%}
...
...
@@ -50,6 +52,8 @@ ssl_bump splice bump_nobumpsites
ssl_bump
peek
bump_step2
bump_nobumpsites
ssl_bump
splice
bump_step3
bump_nobumpsites
ssl_bump
bump
sslproxy_cert_error
deny
all
{%
endif
%}
acl
ftp
proto
FTP
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment