Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
O
OpnSense
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Kulya
OpnSense
Commits
7d18504c
Commit
7d18504c
authored
Mar 20, 2016
by
Ad Schellevis
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
(proxy) work in progress sslbum, some work to be done....
parent
6b2ec824
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
82 additions
and
6 deletions
+82
-6
main.xml
...pnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+28
-0
Proxy.xml
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+14
-0
setup.sh
src/opnsense/scripts/proxy/setup.sh
+13
-2
+TARGETS
src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
+1
-0
squid.conf
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+26
-4
No files found.
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
View file @
7d18504c
...
...
@@ -196,6 +196,34 @@
<a
href=
"/firewall_nat_edit.php?template=transparant_proxy"
>
add a new firewall rule
</a>
]]>
</help>
</field>
<field>
<id>
proxy.forward.sslbump
</id>
<label>
Enable SSL mode
</label>
<type>
checkbox
</type>
<help>
<![CDATA[
Enable sslbump mode,
which makes the proxy act like a man in the middle between the internet and your clients.
Be aware of the security implications before enabling this option.
]]>
</help>
</field>
<field>
<id>
proxy.forward.sslcertificate
</id>
<label>
CA to use
</label>
<type>
dropdown
</type>
<help>
<![CDATA[
Select a Certificate Authority to use.
]]>
</help>
</field>
<field>
<id>
proxy.forward.sslnobumpsites
</id>
<label>
SSL no bump sites
</label>
<type>
select_multiple
</type>
<style>
tokenize
</style>
<allownew>
true
</allownew>
<help>
<![CDATA[
Create a list of sites which may not be inspected, for example bank sites.
]]>
</help>
</field>
<field>
<id>
proxy.forward.addACLforInterfaceSubnets
</id>
<label>
Allow interface subnets
</label>
...
...
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
View file @
7d18504c
...
...
@@ -159,6 +159,20 @@
<ValidationMessage>
Proxy port needs to be an integer value between 1 and 65535
</ValidationMessage>
<Required>
Y
</Required>
</port>
<sslbump
type=
"BooleanField"
>
<default>
0
</default>
<Required>
Y
</Required>
</sslbump>
<sslcertificate
type=
"CertificateField"
>
<Required>
N
</Required>
<Type>
ca
</Type>
<ValidationMessage>
Please select a valid certificate from the list
</ValidationMessage>
</sslcertificate>
<sslnobumpsites
type=
"CSVListField"
>
<Required>
N
</Required>
<mask>
/^([a-zA-Z0-9.:,]){0,}/
</mask>
<ValidationMessage>
Please enter ip addresses or domain names here
</ValidationMessage>
</sslnobumpsites>
<ftpInterfaces
type=
"InterfaceField"
>
<Required>
N
</Required>
<multiple>
Y
</multiple>
...
...
src/opnsense/scripts/proxy/setup.sh
View file @
7d18504c
#!/bin/sh
SQUID_DIRS
=
"/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/logs"
SQUID_DIRS
=
"/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/
ssl /var/squid/
logs"
for
SQUID_DIR
in
${
SQUID_DIRS
}
;
do
mkdir
-p
${
SQUID_DIR
}
...
...
@@ -8,4 +8,15 @@ for SQUID_DIR in ${SQUID_DIRS}; do
chmod
-R
750
${
SQUID_DIR
}
done
/usr/sbin/pw groupmod proxy
-m
squid
/usr/local/sbin/squid
-z
/usr/local/sbin/squid
-z
>
/dev/null 2>&1
# wait a moment before exit, running squid -z and squid start without time between them sometimes results in
# some vague errors.
sleep
1
# create ssl certificate store, in case sslbump is enabled we need this
if
[
!
-d
/var/squid/ssl_crtd
]
;
then
/usr/local/libexec/squid/ssl_crtd
-c
-s
/var/squid/ssl_crtd
>
/dev/null 2>&1
chown
-R
squid:squid /var/squid/ssl_crtd
chmod
-R
750 /var/squid/ssl_crtd
fi
src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
View file @
7d18504c
...
...
@@ -2,3 +2,4 @@ rc.conf.d:/etc/rc.conf.d/squid
squid.conf:/usr/local/etc/squid/squid.conf
newsyslog.conf:/etc/newsyslog.conf.d/squid
externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
View file @
7d18504c
...
...
@@ -2,10 +2,17 @@
# Automatic generated configuration for Squid.
# Do not edit this file manually.
{
# wrap http_port ssl bump configuration for reuse #}
{%
macro
sslbump_httpconfig
() -%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.sslbump'
)
and
OPNsense
.
proxy
.
forward
.
sslbump
==
'1'
%}
ssl
-
bump
cert
=/
var
/
squid
/
ssl
/
ca
.
pem
dynamic_cert_mem_cache_size
=
16
MB
generate
-
host
-
certificates
=
on
{%
endif
%}
{%-
endmacro
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.transparentMode'
)
and
OPNsense
.
proxy
.
forward
.
transparentMode
==
'1'
%}
# transparent mode, listen on localhost
http_port
127
.
0
.
0
.
1
:{{
OPNsense
.
proxy
.
forward
.
port
}}
intercept
http_port
[::
1
]:{{
OPNsense
.
proxy
.
forward
.
port
}}
intercept
http_port
127
.
0
.
0
.
1
:{{
OPNsense
.
proxy
.
forward
.
port
}}
intercept
{{
sslbump_httpconfig
() }}
http_port
[::
1
]:{{
OPNsense
.
proxy
.
forward
.
port
}}
intercept
{{
sslbump_httpconfig
() }}
{%
endif
%}
# Setup listen configuration
...
...
@@ -13,20 +20,35 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{%
for
interface
in
OPNsense
.
proxy
.
forward
.
interfaces
.
split
(
","
) %}
{%
for
intf_key
,
intf_item
in
interfaces
.
iteritems
() %}
{%
if
intf_key
==
interface
and
intf_item
.
ipaddr
!=
'dhcp'
%}
http_port
{{
intf_item
.
ipaddr
}}:{{
OPNsense
.
proxy
.
forward
.
port
}}
http_port
{{
intf_item
.
ipaddr
}}:{{
OPNsense
.
proxy
.
forward
.
port
}}
{{
sslbump_httpconfig
() }}
{%
endif
%}
{%
endfor
%}
{
# virtual ip's #}
{%
if
helpers
.
exists
(
'virtualip'
) %}
{%
for
intf_key
,
intf_item
in
virtualip
.
iteritems
() %}
{%
if
intf_item
.
interface
==
interface
and
intf_item
.
mode
==
'ipalias'
%}
http_port
{{
intf_item
.
subnet
}}:{{
OPNsense
.
proxy
.
forward
.
port
}}
http_port
{{
intf_item
.
subnet
}}:{{
OPNsense
.
proxy
.
forward
.
port
}}
{{
sslbump_httpconfig
() }}
{%
endif
%}
{%
endfor
%}
{%
endif
%}
{%
endfor
%}
{%
endif
%}
{%
if
helpers
.
exists
(
'OPNsense.proxy.forward.sslbump'
)
and
OPNsense
.
proxy
.
forward
.
sslbump
==
'1'
%}
# setup ssl re-cert
sslcrtd_program
/
usr
/
local
/
libexec
/
squid
/
ssl_crtd
-
s
/
var
/
squid
/
ssl_crtd
-
M
4
MB
sslcrtd_children
5
# setup ssl bump acl's
acl
bump_step1
at_step
SslBump1
acl
bump_step2
at_step
SslBump2
acl
bump_step3
at_step
SslBump3
# configure bump
ssl_bump
peek
bump_step1
all
ssl_bump
bump
{%
endif
%}
acl
ftp
proto
FTP
http_access
allow
ftp
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment