Merge pull request #1332 from mmorev/master

Non-transparent SSL Bumping

src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml

@@ -223,23 +223,24 @@
             </field>
             <field>
                 <id>proxy.forward.sslbump</id>
-                <label>Enable SSL mode</label>
+                <label>Enable SSL inspection</label>
                 <type>checkbox</type>
                 <help><![CDATA[
-                  Enable sslbump mode,
-                  which makes the proxy act as a man in the middle between the internet and your clients.<br/>
+                  Enable SSL inspection mode,
+                  which allows to log HTTPS connections information, such as requested URL and/or
+                  make the proxy act as a man in the middle between the internet and your clients.<br/>
                   Be aware of the security implications before enabling this option.
-                  <br/><br/>
-                  Transparent HTTP proxy needs to be enabled and you need nat rules to reflect your traffic
-                  for this feature to work.<br/>
-                  <a href="/firewall_nat_edit.php?template=transparent_proxy&https=1"> Add a new firewall rule </a>
                   ]]></help>
             </field>
             <field>
                 <id>proxy.forward.sslurlonly</id>
-                <label>SSL Domain/IP only</label>
+                <label>Log SNI information only</label>
                 <type>checkbox</type>
-                <help>Do not filter content, only domains and addresses</help>
+                <help><![CDATA[
+                  Do not decode and/or filter SSL content, only log requested domains and IP addresses.<br/>
+                  Some old servers may not provide SNI, so their addresses will not be indicated.<br/>Get more information about
+                  <a href="https://wikipedia.org/wiki/Server_Name_Indication" target="_blank">Server Name Indication</a>.
+                  ]]></help>
             </field>
             <field>
                 <id>proxy.forward.sslbumpport</id>

src/opnsense/service/templates/OPNsense/Proxy/squid.conf

@@ -3,38 +3,45 @@
 # Do not edit this file manually.
 #
 
-{# wrap http_port ssl bump configuration for reuse #}
-{% macro sslbump_httpsconfig(network, tags='') -%}
-  {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
-https_port {{network}}:{{OPNsense.proxy.forward.sslbumpport|default('3129')}} {{tags}} ssl-bump cert=/var/squid/ssl/ca.pem  dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
-  {% endif %}
+{# wrap listener configuration for reuse #}
+{% macro listener_config(network, port='3129', tags='', protocol='') -%}
+{%     if protocol == 'ssl' %}
+{%         set listener_type = 'https_port' %}
+{%     else %}
+{%         set listener_type = 'http_port' %}
+{%     endif %}
+{%     set sslparams = '' %}
+{%     if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
+{%         set sslparams = 'ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on' %}
+{%     endif %}
+{{listener_type}} {{network}}:{{port}} {{tags}} {{sslparams}}
 {%- endmacro %}
 
 {% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
-# transparent mode, listen on localhost
-http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
-{{ sslbump_httpsconfig('127.0.0.1', 'intercept') }}
-http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
-{{ sslbump_httpsconfig('[::1]', 'intercept') }}
+# Setup transparent mode listeners on loopback interfaces
+{{ listener_config('127.0.0.1', OPNsense.proxy.forward.port, 'intercept') }}
+{{ listener_config('127.0.0.1', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }}
+{{ listener_config('[::1]', OPNsense.proxy.forward.port, 'intercept') }}
+{{ listener_config('[::1]', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }}
 {% endif %}
 
-# Setup listen configuration
+# Setup regular listeners configuration
 {% if helpers.exists('OPNsense.proxy.forward.interfaces') %}
-{%   for interface in OPNsense.proxy.forward.interfaces.split(",") %}
-{%      for intf_key,intf_item in interfaces.iteritems() %}
-{%          if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
-http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
-{%          endif %}
-{%      endfor %}
+{%     for interface in OPNsense.proxy.forward.interfaces.split(",") %}
+{%         for intf_key,intf_item in interfaces.iteritems() %}
+{%             if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
+{{ listener_config(intf_item.ipaddr, OPNsense.proxy.forward.port) }}
+{%             endif %}
+{%         endfor %}
 {# virtual ip's #}
-{%      if helpers.exists('virtualip') %}
-{%          for intf_key,intf_item in virtualip.iteritems() %}
-{%              if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
-http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
-{%              endif %}
-{%          endfor %}
-{%      endif %}
-{%   endfor %}
+{%         if helpers.exists('virtualip') %}
+{%             for intf_key,intf_item in virtualip.iteritems() %}
+{%                 if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
+{{ listener_config(intf_item.subnet, OPNsense.proxy.forward.port) }}
+{%                 endif %}
+{%             endfor %}
+{%         endif %}
+{%     endfor %}
 {% endif %}
 
 {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}