From 92883b237d71bbe99500464518949a15b070ca64 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 21 Mar 2016 13:38:36 +0100
Subject: [PATCH] (proxy) work in progress ssl-bump

---
 .../controllers/OPNsense/Proxy/forms/main.xml | 16 +++++-
 .../mvc/app/models/OPNsense/Proxy/Proxy.xml   | 14 +++++
 src/opnsense/scripts/proxy/generate_cert.php  | 55 +++++++++++++++++++
 src/opnsense/scripts/proxy/setup.sh           |  3 +
 .../service/templates/OPNsense/Proxy/+TARGETS |  1 +
 .../templates/OPNsense/Proxy/ca.pem.id        |  3 +
 .../templates/OPNsense/Proxy/nobumpsites.acl  |  5 ++
 .../templates/OPNsense/Proxy/squid.conf       | 11 ++--
 8 files changed, 103 insertions(+), 5 deletions(-)
 create mode 100755 src/opnsense/scripts/proxy/generate_cert.php
 create mode 100644 src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id
 create mode 100644 src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
index b03834477..0cd808839 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml
@@ -202,7 +202,7 @@
                 <type>checkbox</type>
                 <help><![CDATA[
                   Enable sslbump mode,
-                  which makes the proxy act like a man in the middle between the internet and your clients.
+                  which makes the proxy act as a man in the middle between the internet and your clients.
                   Be aware of the security implications before enabling this option.
                   ]]></help>
             </field>
@@ -224,6 +224,20 @@
                   Create a list of sites which may not be inspected, for example bank sites.
                   ]]></help>
             </field>
+            <field>
+                <id>proxy.forward.ssl_crtd_storage_max_size</id>
+                <label>SSL cache size</label>
+                <type>text</type>
+                <help><![CDATA[Enter the maximum size (in MB) to use for SSL certificates.]]></help>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>proxy.forward.sslcrtd_children</id>
+                <label>SSL cert workers</label>
+                <type>text</type>
+                <help><![CDATA[Enter the number of ssl certificate workers to use (sslcrtd_children).]]></help>
+                <advanced>true</advanced>
+            </field>
             <field>
                 <id>proxy.forward.addACLforInterfaceSubnets</id>
                 <label>Allow interface subnets</label>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
index e8768df39..bb89d8426 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml
@@ -173,6 +173,20 @@
               <mask>/^([a-zA-Z0-9.:,]){0,}/</mask>
               <ValidationMessage>Please enter ip addresses or domain names here</ValidationMessage>
             </sslnobumpsites>
+            <ssl_crtd_storage_max_size type="IntegerField">
+              <Required>Y</Required>
+              <default>4</default>
+              <MinimumValue>1</MinimumValue>
+              <MaximumValue>65535</MaximumValue>
+              <ValidationMessage>max size needs to be an integer value between 1 and 65535</ValidationMessage>
+            </ssl_crtd_storage_max_size>
+            <sslcrtd_children type="IntegerField">
+              <Required>Y</Required>
+              <default>5</default>
+              <MinimumValue>1</MinimumValue>
+              <MaximumValue>32</MaximumValue>
+              <ValidationMessage>the number of sslrtd children needs to be an integer value between 1 and 32</ValidationMessage>
+            </sslcrtd_children>
             <ftpInterfaces type="InterfaceField">
                 <Required>N</Required>
                 <multiple>Y</multiple>
diff --git a/src/opnsense/scripts/proxy/generate_cert.php b/src/opnsense/scripts/proxy/generate_cert.php
new file mode 100755
index 000000000..eb23a023c
--- /dev/null
+++ b/src/opnsense/scripts/proxy/generate_cert.php
@@ -0,0 +1,55 @@
+#!/usr/local/bin/php
+<?php
+
+/**
+ *    Copyright (C) 2016 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+// use legacy code to generate certs and ca's
+require_once("config.inc");
+require_once("certs.inc");
+require_once("legacy_bindings.inc");
+use OPNsense\Core\Config;
+global $config;
+
+// Our template systems stores the ca certid into /usr/local/etc/squid/ca.pem.id
+// Which makes it easier for the setup script to detect cert changes (which should flush the stored cache)
+if (is_file('/usr/local/etc/squid/ca.pem.id')) {
+    $cert_refid = trim(file_get_contents('/usr/local/etc/squid/ca.pem.id'));
+    if (!empty($config['ca'])) {
+        foreach ($config['ca'] as $ca) {
+            if (isset($ca['refid']) && $ca['refid'] == $cert_refid) {
+                $pem_contents = '';
+                $pem_contents .= base64_decode($ca['prv']);
+                $pem_contents .= base64_decode($ca['crt']);
+                $pem_contents .= ca_chain($ca);
+                echo "certificate generated\n";
+                file_put_contents('/var/squid/ssl/ca.pem', $pem_contents);
+            }
+        }
+    }
+}
diff --git a/src/opnsense/scripts/proxy/setup.sh b/src/opnsense/scripts/proxy/setup.sh
index 25d758f18..76469628e 100755
--- a/src/opnsense/scripts/proxy/setup.sh
+++ b/src/opnsense/scripts/proxy/setup.sh
@@ -20,3 +20,6 @@ if [ ! -d /var/squid/ssl_crtd ]; then
 chown -R squid:squid /var/squid/ssl_crtd
 chmod -R 750 /var/squid/ssl_crtd
 fi
+
+# generate SSL bump certificate
+/usr/local/opnsense/scripts/proxy/generate_cert.php
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS b/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
index f09b85c9e..2dabb6de0 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
+++ b/src/opnsense/service/templates/OPNsense/Proxy/+TARGETS
@@ -3,3 +3,4 @@ squid.conf:/usr/local/etc/squid/squid.conf
 newsyslog.conf:/etc/newsyslog.conf.d/squid
 externalACLs.conf:/usr/local/etc/squid/externalACLs.conf
 nobumpsites.acl:/usr/local/etc/squid/nobumpsites.acl
+ca.pem.id:/usr/local/etc/squid/ca.pem.id
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id b/src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id
new file mode 100644
index 000000000..e907aec5e
--- /dev/null
+++ b/src/opnsense/service/templates/OPNsense/Proxy/ca.pem.id
@@ -0,0 +1,3 @@
+{% if helpers.exists('OPNsense.proxy.forward.sslcertificate') %}
+{{ OPNsense.proxy.forward.sslcertificate }}
+{% endif %}
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl b/src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl
new file mode 100644
index 000000000..0bf00cd38
--- /dev/null
+++ b/src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.proxy.forward.sslnobumpsites') and OPNsense.proxy.forward.sslnobumpsites != '' %}
+{% for line in OPNsense.proxy.forward.sslnobumpsites.split(',') %}
+{{ line }}
+{% endfor %}
+{% endif %}
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index dc7319519..1051f4ad1 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -5,7 +5,7 @@
 {# wrap http_port ssl bump configuration for reuse #}
 {% macro sslbump_httpconfig() -%}
   {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
-  ssl-bump cert=/var/squid/ssl/ca.pem  dynamic_cert_mem_cache_size=16MB generate-host-certificates=on
+  ssl-bump cert=/var/squid/ssl/ca.pem  dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
   {% endif %}
 {%- endmacro %}
 
@@ -36,19 +36,22 @@ http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} {{ sslbump_http
 
 {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}
 # setup ssl re-cert
-sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M 4MB
-sslcrtd_children 5
+sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_crtd -M {{ OPNsense.proxy.forward.ssl_crtd_storage_max_size|default('4') }}MB
+sslcrtd_children {{ OPNsense.proxy.forward.sslcrtd_children|default('5') }}
 # setup ssl bump acl's
 acl bump_step1 at_step SslBump1
 acl bump_step2 at_step SslBump2
 acl bump_step3 at_step SslBump3
+acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
 
 # configure bump
 ssl_bump peek bump_step1 all
+ssl_bump splice bump_nobumpsites
+ssl_bump peek bump_step2 bump_nobumpsites
+ssl_bump splice bump_step3 bump_nobumpsites
 ssl_bump bump
 {% endif %}
 
-
 acl ftp proto FTP
 http_access allow ftp