lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-14 08:34:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

(proxy) finish sslbump

Browse Source
This commit is contained in:
Ad Schellevis 2016-03-21 21:04:33 +01:00
parent 0e553b0a08
commit 048d5be4fc
4 changed files with 54 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
View File

@ -202,10 +202,19 @@
<type>checkbox</type>
<help><![CDATA[
Enable sslbump mode,
which makes the proxy act as a man in the middle between the internet and your clients.
which makes the proxy act as a man in the middle between the internet and your clients.<br/>
Be aware of the security implications before enabling this option.
<br/><br/>
Transparent HTTP proxy needs to be enabled and you need nat rules to reflect your traffic
for this feature to work.
]]></help>
</field>
<field>
<id>proxy.forward.sslbumpport</id>
<label>SSL Proxy port</label>
<type>text</type>
<help><![CDATA[The port the ssl proxy service will listen to.]]></help>
</field>
<field>
<id>proxy.forward.sslcertificate</id>
<label>CA to use</label>
@ -221,7 +230,8 @@
<style>tokenize</style>
<allownew>true</allownew>
<help><![CDATA[
Create a list of sites which may not be inspected, for example bank sites.
Create a list of sites which may not be inspected, for example bank sites.<br/>
Prefix the domain with a . to accept all subdomains (e.g. .google.com).
]]></help>
</field>
<field>

7
src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
View File

@ -159,6 +159,13 @@
<ValidationMessage>Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
</port>
<sslbumpport type="IntegerField">
<default>3129</default>
<MinimumValue>1</MinimumValue>
<MaximumValue>65535</MaximumValue>
<ValidationMessage>SSL Proxy port needs to be an integer value between 1 and 65535</ValidationMessage>
<Required>Y</Required>
</sslbumpport>
<sslbump type="BooleanField">
<default>0</default>
<Required>Y</Required>

32
src/opnsense/scripts/proxy/setup.sh
View File

@ -3,9 +3,9 @@
SQUID_DIRS="/var/log/squid /var/run/squid /var/squid /var/squid/cache /var/squid/ssl /var/squid/logs"
for SQUID_DIR in ${SQUID_DIRS}; do
mkdir -p ${SQUID_DIR}
chown -R squid:squid ${SQUID_DIR}
chmod -R 750 ${SQUID_DIR}
mkdir -p ${SQUID_DIR}
chown -R squid:squid ${SQUID_DIR}
chmod -R 750 ${SQUID_DIR}
done
/usr/sbin/pw groupmod proxy -m squid
/usr/local/sbin/squid -z > /dev/null 2>&1
@ -14,12 +14,30 @@ done
# some vague errors.
sleep 1
# remove ssl certificate store in case the user changed the CA
if [ -f /usr/local/etc/squid/ca.pem.id ]; then
current_cert=`cat /usr/local/etc/squid/ca.pem.id`
if [ -d /var/squid/ssl_crtd ]; then
if [ -f /var/squid/ssl_crtd.id ]; then
running_cert=`cat /var/squid/ssl_crtd.id`
else
running_cert=""
fi
if [ "$current_cert" != "$running_cert" ]; then
rm -rf /var/squid/ssl_crtd
fi
fi
fi
# create ssl certificate store, in case sslbump is enabled we need this
if [ ! -d /var/squid/ssl_crtd ]; then
/usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd
/usr/local/libexec/squid/ssl_crtd -c -s /var/squid/ssl_crtd > /dev/null 2>&1
chown -R squid:squid /var/squid/ssl_crtd
chmod -R 750 /var/squid/ssl_crtd
if [ -f /usr/local/etc/squid/ca.pem.id ]; then
cat /usr/local/etc/squid/ca.pem.id > /var/squid/ssl_crtd.id
fi
fi
# generate SSL bump certificate
/usr/local/opnsense/scripts/proxy/generate_cert.php
/usr/local/opnsense/scripts/proxy/generate_cert.php > /dev/null 2>&1

16
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
View File

@ -3,16 +3,18 @@
# Do not edit this file manually.
{# wrap http_port ssl bump configuration for reuse #}
{% macro sslbump_httpconfig() -%}
{% macro sslbump_httpsconfig(network, tags='') -%}
{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port {{network}}:{{OPNsense.proxy.forward.sslbumpport|default('3129')}} {{tags}} ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
{% endif %}
{%- endmacro %}
{% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %}
# transparent mode, listen on localhost
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfig() }}
http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('127.0.0.1', 'intercept') }}
http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept
{{ sslbump_httpsconfig('[::1]', 'intercept') }}
{% endif %}
# Setup listen configuration
@ -20,14 +22,14 @@ http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept {{ sslbump_httpconfi
{% for interface in OPNsense.proxy.forward.interfaces.split(",") %}
{% for intf_key,intf_item in interfaces.iteritems() %}
{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }}
{% endif %}
{% endfor %}
{# virtual ip's #}
{% if helpers.exists('virtualip') %}
{% for intf_key,intf_item in virtualip.iteritems() %}
{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_httpconfig() }}
http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }}
{% endif %}
{% endfor %}
{% endif %}
@ -50,6 +52,8 @@ ssl_bump splice bump_nobumpsites
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump bump
sslproxy_cert_error deny all
{% endif %}
acl ftp proto FTP