Skip to content

O
OpnSense
Commit 65147668 authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner
Browse files
Options

(proxy) finish sslbump 

(cherry picked from commit 048d5be4)
parent 8258d832
Show whitespace changes
Inline Side-by-side
Showing with 54 additions and 15 deletions
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
View file @ 65147668
...@@ -202,10 +202,19 @@ ...@@ -202,10 +202,19 @@
<type>checkbox</type> <type>checkbox</type>
<help><![CDATA[ <help><![CDATA[
Enable sslbump mode, Enable sslbump mode,
which makes the proxy act as a man in the middle between the internet and your clients. which makes the proxy act as a man in the middle between the internet and your clients.<br/>
Be aware of the security implications before enabling this option. Be aware of the security implications before enabling this option.
<br/><br/>
Transparent HTTP proxy needs to be enabled and you need nat rules to reflect your traffic
for this feature to work.
]]></help> ]]></help>
</field> </field>
<field>
<id>proxy.forward.sslbumpport</id>
<label>SSL Proxy port</label>
<type>text</type>
<help><![CDATA[The port the ssl proxy service will listen to.]]></help>
</field>
<field> <field>
<id>proxy.forward.sslcertificate</id> <id>proxy.forward.sslcertificate</id>
<label>CA to use</label> <label>CA to use</label>
...@@ -221,7 +230,8 @@ ...@@ -221,7 +230,8 @@
<style>tokenize</style> <style>tokenize</style>
<allownew>true</allownew> <allownew>true</allownew>
<help><![CDATA[ <help><![CDATA[
Create a list of sites which may not be inspected, for example bank sites. Create a list of sites which may not be inspected, for example bank sites.<br/>
Prefix the domain with a . to accept all subdomains (e.g. .google.com).
]]></help> ]]></help>
</field> </field>
<field> <field>
......
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
View file @ 65147668
...@@ -159,6 +159,13 @@ ...@@ -159,6 +159,13 @@
<ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage> <ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required> <Required>Y</Required>
</port> </port>
<sslbumpport type="IntegerField">
<default>3129</default>
<MinimumValue>1</MinimumValue>
<MaximumValue>65535</MaximumValue>
<ValidationMessage>SSL Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
</sslbumpport>
<sslbump type="BooleanField"> <sslbump type="BooleanField">
<default>0</default> <default>0</default>
<Required>Y</Required> <Required>Y</Required>
......
src/opnsense/scripts/proxy/setup.sh
View file @ 65147668
...@@ -14,12 +14,30 @@ done ...@@ -14,12 +14,30 @@ done
# some vague errors. # some vague errors.
sleep 1 sleep 1
# remove ssl certificate store in case the user changed the CA
if [ -f /usr/local/etc/squid/ca.pem.id ]; then
current_cert=`cat /usr/local/etc/squid/ca.pem.id`
if [ -d /var/squid/ssl_crtd ]; then
if [ -f /var/squid/ssl_crtd.id ]; then
running_cert=`cat /var/squid/ssl_crtd.id`
else
running_cert=""
fi
if [ "$current_cert" != "$running_cert" ]; then
rm -rf /var/squid/ssl_crtd
fi
fi
fi
# create ssl certificate store, in case sslbump is enabled we need this # create ssl certificate store, in case sslbump is enabled we need this
if [ ! -d /var/squid/ssl_crtd ]; then if [ ! -d /var/squid/ssl_crtd ]; then
/usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1 /usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
chown -R squid:squid /var/squid/ssl_crtd chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd chmod -R 750 /var/squid/ssl_crtd
if [ -f /usr/local/etc/squid/ca.pem.id ]; then
cat /usr/local/etc/squid/ca.pem.id > /var/squid/ssl_crtd.id
fi
fi fi
# generate SSL bump certificate # generate SSL bump certificate
/usr/local/opnsense/scripts/proxy/generate_cert.php /usr/local/opnsense/scripts/proxy/generate_cert.php > /dev/null 2>&1
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
View file @ 65147668
...@@ -3,16 +3,18 @@ ...@@ -3,16 +3,18 @@
# Do not edit this file manually. # Do not edit this file manually.
{# wrap http_port ssl bump configuration for reuse #} {# wrap http_port ssl bump configuration for reuse #}
{% macro sslbump_httpconfig() -%} {% macro sslbump_httpsconfig(network, tags='') -%}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on https_port {{network}}:{{OPNsense.proxy.forward.sslbumpport|default('3129')}} {{tags}} ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
{% endif %} {% endif %}
{%- endmacro %} {%- endmacro %}
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %} {% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
# transparent mode, listen on localhost # transparent mode, listen on localhost
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }} http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }} {{ sslbump_httpsconfig('127.0.0.1', 'intercept') }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('[::1]', 'intercept') }}
{% endif %} {% endif %}
# Setup listen configuration # Setup listen configuration
...@@ -20,14 +22,14 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfi ...@@ -20,14 +22,14 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfi
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %} {% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %} {% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} {% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }} http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{# virtual ip's #} {# virtual ip's #}
{% if helpers.exists('virtualip') %} {% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %} {% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} {% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }} http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
...@@ -50,6 +52,8 @@ ssl_bump splice bump_nobumpsites ...@@ -50,6 +52,8 @@ ssl_bump splice bump_nobumpsites
ssl_bump peek bump_step2 bump_nobumpsites ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump bump ssl_bump bump
sslproxy_cert_error deny all
{% endif %} {% endif %}
acl ftp proto FTP acl ftp proto FTP
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023