Commit 7d18504c authored by Ad Schellevis's avatar Ad Schellevis

(proxy) work in progress sslbum, some work to be done....

parent 6b2ec824
...@@ -196,6 +196,34 @@ ...@@ -196,6 +196,34 @@
<a href="/firewall_nat_edit.php?template=transparant_proxy"> add a new firewall rule </a> <a href="/firewall_nat_edit.php?template=transparant_proxy"> add a new firewall rule </a>
]]></help> ]]></help>
</field> </field>
<field>
<id>proxy.forward.sslbump</id>
<label>Enable SSL mode</label>
<type>checkbox</type>
<help><![CDATA[
Enable sslbump mode,
which makes the proxy act like a man in the middle between the internet and your clients.
Be aware of the security implications before enabling this option.
]]></help>
</field>
<field>
<id>proxy.forward.sslcertificate</id>
<label>CA to use</label>
<type>dropdown</type>
<help><![CDATA[
Select a Certificate Authority to use.
]]></help>
</field>
<field>
<id>proxy.forward.sslnobumpsites</id>
<label>SSL no bump sites</label>
<type>select_multiple</type>
<style>tokenize</style>
<allownew>true</allownew>
<help><![CDATA[
Create a list of sites which may not be inspected, for example bank sites.
]]></help>
</field>
<field> <field>
<id>proxy.forward.addACLforInterfaceSubnets</id> <id>proxy.forward.addACLforInterfaceSubnets</id>
<label>Allow interface subnets</label> <label>Allow interface subnets</label>
......
...@@ -159,6 +159,20 @@ ...@@ -159,6 +159,20 @@
<ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage> <ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required> <Required>Y</Required>
</port> </port>
<sslbump type="BooleanField">
<default>0</default>
<Required>Y</Required>
</sslbump>
<sslcertificate type="CertificateField">
<Required>N</Required>
<Type>ca</Type>
<ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
</sslcertificate>
<sslnobumpsites type="CSVListField">
<Required>N</Required>
<mask>/^([a-zA-Z0-9.:,]){0,}/</mask>
<ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
</sslnobumpsites>
<ftpInterfaces type="InterfaceField"> <ftpInterfaces type="InterfaceField">
<Required>N</Required> <Required>N</Required>
<multiple>Y</multiple> <multiple>Y</multiple>
......
#!/bin/sh #!/bin/sh
SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/logs" SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/ssl /var/squid/logs"
for SQUID_DIR in ${SQUID_DIRS}; do for SQUID_DIR in ${SQUID_DIRS}; do
mkdir -p ${SQUID_DIR} mkdir -p ${SQUID_DIR}
...@@ -8,4 +8,15 @@ for SQUID_DIR in ${SQUID_DIRS}; do ...@@ -8,4 +8,15 @@ for SQUID_DIR in ${SQUID_DIRS}; do
chmod -R 750 ${SQUID_DIR} chmod -R 750 ${SQUID_DIR}
done done
/usr/sbin/pw groupmod proxy -m squid /usr/sbin/pw groupmod proxy -m squid
/usr/local/sbin/squid -z /usr/local/sbin/squid -z > /dev/null 2>&1
# wait a moment before exit, running squid -z and squid start without time between them sometimes results in
# some vague errors.
sleep 1
# create ssl certificate store, in case sslbump is enabled we need this
if [ ! -d /var/squid/ssl_crtd ]; then
/usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd
fi
...@@ -2,3 +2,4 @@ rc.conf.d:/etc/rc.conf.d/squid ...@@ -2,3 +2,4 @@ rc.conf.d:/etc/rc.conf.d/squid
squid.conf:/usr/local/etc/squid/squid.conf squid.conf:/usr/local/etc/squid/squid.conf
newsyslog.conf:/etc/newsyslog.conf.d/squid newsyslog.conf:/etc/newsyslog.conf.d/squid
externalACLs.conf:/usr/local/etc/squid/externalACLs.conf externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
...@@ -2,10 +2,17 @@ ...@@ -2,10 +2,17 @@
# Automatic generated configuration for Squid. # Automatic generated configuration for Squid.
# Do not edit this file manually. # Do not edit this file manually.
{# wrap http_port ssl bump configuration for reuse #}
{% macro sslbump_httpconfig() -%}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=16MB generate-host-certificates=on
{% endif %}
{%- endmacro %}
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %} {% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
# transparent mode, listen on localhost # transparent mode, listen on localhost
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
{% endif %} {% endif %}
# Setup listen configuration # Setup listen configuration
...@@ -13,20 +20,35 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept ...@@ -13,20 +20,35 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %} {% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %} {% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} {% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{# virtual ip's #} {# virtual ip's #}
{% if helpers.exists('virtualip') %} {% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %} {% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} {% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
# setup ssl re-cert
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M 4MB
sslcrtd_children 5
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
# configure bump
ssl_bump peek bump_step1 all
ssl_bump bump
{% endif %}
acl ftp proto FTP acl ftp proto FTP
http_access allow ftp http_access allow ftp
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment