Skip to content

O
OpnSense
Commit 7d18504c authored by Ad Schellevis's avatar Ad Schellevis
Browse files
Options

(proxy) work in progress sslbum, some work to be done....

parent 6b2ec824
Show whitespace changes
Inline Side-by-side
Showing with 82 additions and 6 deletions
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
View file @ 7d18504c
......@@ -196,6 +196,34 @@
<a href="/firewall_nat_edit.php?template=transparant_proxy"> add a new firewall rule </a>
]]></help>
</field>
<field>
<id>proxy.forward.sslbump</id>
<label>Enable SSL mode</label>
<type>checkbox</type>
<help><![CDATA[
Enable sslbump mode,
which makes the proxy act like a man in the middle between the internet and your clients.
Be aware of the security implications before enabling this option.
]]></help>
</field>
<field>
<id>proxy.forward.sslcertificate</id>
<label>CA to use</label>
<type>dropdown</type>
<help><![CDATA[
Select a Certificate Authority to use.
]]></help>
</field>
<field>
<id>proxy.forward.sslnobumpsites</id>
<label>SSL no bump sites</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help><![CDATA[
Create a list of sites which may not be inspected, for example bank sites.
]]></help>
</field>
<field>
<id>proxy.forward.addACLforInterfaceSubnets</id>
<label>Allow interface subnets</label>
......
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
View file @ 7d18504c
......@@ -159,6 +159,20 @@
<ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
</port>
<sslbump type="BooleanField">
<default>0</default>
<Required>Y</Required>
</sslbump>
<sslcertificate type="CertificateField">
<Required>N</Required>
<Type>ca</Type>
<ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
</sslcertificate>
<sslnobumpsites type="CSVListField">
<Required>N</Required>
<mask>/^([a-zA-Z0-9.:,]){0,}/</mask>
<ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
</sslnobumpsites>
<ftpInterfaces type="InterfaceField">
<Required>N</Required>
<multiple>Y</multiple>
......
src/opnsense/scripts/proxy/setup.sh
View file @ 7d18504c
#!/bin/sh
SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/logs"
SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/ssl /var/squid/logs"
for SQUID_DIR in ${SQUID_DIRS}; do
mkdir -p ${SQUID_DIR}
......@@ -8,4 +8,15 @@ for SQUID_DIR in ${SQUID_DIRS}; do
chmod -R 750 ${SQUID_DIR}
done
/usr/sbin/pw groupmod proxy -m squid
/usr/local/sbin/squid -z
/usr/local/sbin/squid -z > /dev/null 2>&1
# wait a moment before exit, running squid -z and squid start without time between them sometimes results in
# some vague errors.
sleep 1
# create ssl certificate store, in case sslbump is enabled we need this
if [ ! -d /var/squid/ssl_crtd ]; then
/usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd
fi
src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
View file @ 7d18504c
......@@ -2,3 +2,4 @@ rc.conf.d:/etc/rc.conf.d/squid
squid.conf:/usr/local/etc/squid/squid.conf
newsyslog.conf:/etc/newsyslog.conf.d/squid
externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
View file @ 7d18504c
......@@ -2,10 +2,17 @@
# Automatic generated configuration for Squid.
# Do not edit this file manually.
{# wrap http_port ssl bump configuration for reuse #}
{% macro sslbump_httpconfig() -%}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=16MB generate-host-certificates=on
{% endif %}
{%- endmacro %}
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
# transparent mode, listen on localhost
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
{% endif %}
# Setup listen configuration
......@@ -13,20 +20,35 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
{% endif %}
{% endfor %}
{# virtual ip's #}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
{% endif %}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
# setup ssl re-cert
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M 4MB
sslcrtd_children 5
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
# configure bump
ssl_bump peek bump_step1 all
ssl_bump bump
{% endif %}
acl ftp proto FTP
http_access allow ftp
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023