mirror of https://github.com/sonertari/SSLproxy
Add ReconnectSSL option to enforce SSL options in struct filtering rules
The ReconnectSSL option allows rule developers to write struct filtering rules using SNI and CN SSL specifications to override the SSL configuration of a connection. Otherwise, without this new option, filtering rules cannot change SSL options using SSL filtering fields to match connections (the SSL config in the rule would not have any effect on the server side of the matching connection). Without ReconnectSSL, only DstIP and DstPort fields can be used to override the SSL config of a connection. If the ReconnectSSL option in a struct filtering rule is set, we disconnect and free the server side of the matching SSL connection, and reconnect it with the SSL options in the matching struct filtering rule. This enforces the SSL config in the rule. Do not use the ReconnectSSL option if server disconnect is not desirable or acceptable in your case.pull/48/head
parent
f744c2c77a
commit
8f63ec7f82
@ -0,0 +1,203 @@
|
||||
{
|
||||
"comment": "Tests for Divert struct filtering rules with ReconnectSSL, HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer",
|
||||
"configs": {
|
||||
"1": {
|
||||
"proto": {
|
||||
"proto": "ssl",
|
||||
"crt": "server.crt",
|
||||
"key": "server.key"
|
||||
},
|
||||
"client": {
|
||||
"ip": "127.0.0.1",
|
||||
"port": "8213"
|
||||
},
|
||||
"server": {
|
||||
"ip": "127.0.0.1",
|
||||
"port": "9213"
|
||||
}
|
||||
}
|
||||
},
|
||||
"tests": {
|
||||
"1": {
|
||||
"comment": "Divert struct filtering rule removes any extra SSLproxy line, and appends Connection: close",
|
||||
"states": {
|
||||
"1": {
|
||||
"testend": "server",
|
||||
"cmd": "reconnect",
|
||||
"payload": "",
|
||||
"comment": "ReconnectSSL rules cause sslproxy to disconnect/reconnect to the server, so the reconnect cmd instructs the server to allow it"
|
||||
},
|
||||
"2": {
|
||||
"testend": "client",
|
||||
"cmd": "send",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nSSLproxy: sslproxy\r\n\r\n"
|
||||
},
|
||||
"3": {
|
||||
"testend": "server",
|
||||
"cmd": "recv",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
|
||||
}
|
||||
}
|
||||
},
|
||||
"2": {
|
||||
"comment": "Divert struct filtering rule removes all extra SSLproxy lines",
|
||||
"states": {
|
||||
"1": {
|
||||
"testend": "server",
|
||||
"cmd": "reconnect",
|
||||
"payload": ""
|
||||
},
|
||||
"2": {
|
||||
"testend": "client",
|
||||
"cmd": "send",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nSSLproxy: sslproxy\r\nSSLproxy: sslproxy\r\n\r\n"
|
||||
},
|
||||
"3": {
|
||||
"testend": "server",
|
||||
"cmd": "recv",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
|
||||
}
|
||||
}
|
||||
},
|
||||
"3": {
|
||||
"comment": "Divert struct filtering rule changes Connection header to close",
|
||||
"states": {
|
||||
"1": {
|
||||
"testend": "server",
|
||||
"cmd": "reconnect",
|
||||
"payload": ""
|
||||
},
|
||||
"2": {
|
||||
"testend": "client",
|
||||
"cmd": "send",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: Keep-Alive\r\n\r\n"
|
||||
},
|
||||
"3": {
|
||||
"testend": "server",
|
||||
"cmd": "recv",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
|
||||
}
|
||||
}
|
||||
},
|
||||
"4": {
|
||||
"comment": "Divert struct filtering rule suppresses upgrading to SSL/TLS, WebSockets or HTTP/2",
|
||||
"states": {
|
||||
"1": {
|
||||
"testend": "server",
|
||||
"cmd": "reconnect",
|
||||
"payload": ""
|
||||
},
|
||||
"2": {
|
||||
"testend": "client",
|
||||
"cmd": "send",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nUpgrade: websocket\r\n\r\n"
|
||||
},
|
||||
"3": {
|
||||
"testend": "server",
|
||||
"cmd": "recv",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
|
||||
}
|
||||
}
|
||||
},
|
||||
"5": {
|
||||
"comment": "Divert struct filtering rule removes Keep-Alive",
|
||||
"states": {
|
||||
"1": {
|
||||
"testend": "server",
|
||||
"cmd": "reconnect",
|
||||
"payload": ""
|
||||
},
|
||||
"2": {
|
||||
"testend": "client",
|
||||
"cmd": "send",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nKeep-Alive: keep-alive\r\n\r\n"
|
||||
},
|
||||
"3": {
|
||||
"testend": "server",
|
||||
"cmd": "recv",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
|
||||
}
|
||||
}
|
||||
},
|
||||
"6": {
|
||||
"comment": "Divert struct filtering rule removes Accept-Encoding",
|
||||
"states": {
|
||||
"1": {
|
||||
"testend": "server",
|
||||
"cmd": "reconnect",
|
||||
"payload": ""
|
||||
},
|
||||
"2": {
|
||||
"testend": "client",
|
||||
"cmd": "send",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nAccept-Encoding: encoding\r\n\r\n"
|
||||
},
|
||||
"3": {
|
||||
"testend": "server",
|
||||
"cmd": "recv",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
|
||||
}
|
||||
}
|
||||
},
|
||||
"7": {
|
||||
"comment": "Divert struct filtering rule removes Via",
|
||||
"states": {
|
||||
"1": {
|
||||
"testend": "server",
|
||||
"cmd": "reconnect",
|
||||
"payload": ""
|
||||
},
|
||||
"2": {
|
||||
"testend": "client",
|
||||
"cmd": "send",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nVia: via\r\n\r\n"
|
||||
},
|
||||
"3": {
|
||||
"testend": "server",
|
||||
"cmd": "recv",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
|
||||
}
|
||||
}
|
||||
},
|
||||
"8": {
|
||||
"comment": "Divert struct filtering rule removes X-Forwarded-For",
|
||||
"states": {
|
||||
"1": {
|
||||
"testend": "server",
|
||||
"cmd": "reconnect",
|
||||
"payload": ""
|
||||
},
|
||||
"2": {
|
||||
"testend": "client",
|
||||
"cmd": "send",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nX-Forwarded-For: x-forwarded-for\r\n\r\n"
|
||||
},
|
||||
"3": {
|
||||
"testend": "server",
|
||||
"cmd": "recv",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
|
||||
}
|
||||
}
|
||||
},
|
||||
"9": {
|
||||
"comment": "Divert struct filtering rule removes Referer",
|
||||
"states": {
|
||||
"1": {
|
||||
"testend": "server",
|
||||
"cmd": "reconnect",
|
||||
"payload": ""
|
||||
},
|
||||
"2": {
|
||||
"testend": "client",
|
||||
"cmd": "send",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nReferer: referer\r\n\r\n"
|
||||
},
|
||||
"3": {
|
||||
"testend": "server",
|
||||
"cmd": "recv",
|
||||
"payload": "GET / HTTP/1.1\r\nHost: example.com\r\nConnection: close\r\n\r\n"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue