# TestProxy test configuration for sslproxy v0.9.5 # Global options #User _sslproxy #Group _sslproxy #Chroot /var/run/sslproxy PidFile /var/run/sslproxy.pid #Daemon yes Debug yes DebugLevel 4 #OpenFilesLimit 1024 #LeafKey /etc/sslproxy/leaf.key #LeafKeyRSABits 2048 #LeafCertDir /etc/sslproxy/leaf.d #DefaultLeafCert /etc/sslproxy/leaf.pem #WriteGenCertsDir /var/log/sslproxy #WriteAllCertsDir /var/log/sslproxy #OpenSSLEngine cloudhsm #ConnectLog /var/log/sslproxy/connect.log #ContentLog /var/log/sslproxy/content.log #ContentLogDir /var/log/sslproxy/content #ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log #LogProcInfo yes #PcapLog /var/log/sslproxy/content.pcap #PcapLogDir /var/log/sslproxy/pcap #PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap #MirrorIf lo #MirrorTarget 192.0.2.1 #MasterKeyLog /var/log/sslproxy/masterkeys.log LogStats yes StatsPeriod 1 ConnIdleTimeout 120 ExpiredConnCheckPeriod 10 UserDBPath users.db # Default ProxySpec options (cloned to each proxyspec) CACert ca.crt CAKey ca.key #ClientCert /etc/sslproxy/client.crt #ClientKey /etc/sslproxy/client.key #CAChain /etc/sslproxy/chain.crt #LeafCRLURL http://example.com/example.crl #DenyOCSP yes #Passthrough yes #DHGroupParams /etc/sslproxy/dh.pem #ECDHCurve prime256v1 #SSLCompression no #ForceSSLProto tls12 #DisableSSLProto tls10 #EnableSSLProto tls10 #MinSSLProto tls10 #MaxSSLProto tls13 #Ciphers MEDIUM:HIGH #CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 #NATEngine netfilter #RemoveHTTPAcceptEncoding no #RemoveHTTPReferer yes VerifyPeer no #AllowWrongHost no #UserAuth no #UserTimeout 300 #UserAuthURL https://192.168.0.1/userdblogin.php #ValidateProto no #MaxHTTPHeaderSize 8192 #PassSite example.com #PassSite example.com 192.168.0.1 #PassSite example.com soner #PassSite *.google.com * android #Divert yes # Tests for tcp connection over ssl proxyspec ProxySpec https 127.0.0.1 8441 up:8080 127.0.0.1 9441 ProxySpec { Proto https Addr 127.0.0.1 Port 8442 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9442 ValidateProto yes } # Tests for ssl connection on tcp proxyspec ProxySpec { Proto http Addr 127.0.0.1 Port 8183 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9183 ValidateProto yes } # Tests for HTTP GET method validation ProxySpec { Proto http Addr 127.0.0.1 Port 8184 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9184 ValidateProto yes } ProxySpec { Proto https Addr 127.0.0.1 Port 8444 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9444 ValidateProto yes } # Tests for HTTP POST method validation ProxySpec { Proto http Addr 127.0.0.1 Port 8185 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9185 ValidateProto yes } ProxySpec { Proto https Addr 127.0.0.1 Port 8445 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9445 ValidateProto yes } # Tests for SSL configuration ProxySpec https 127.0.0.1 8443 up:8080 127.0.0.1 9443 # Tests for SSL configuration: tls10 only ProxySpec { Proto https Addr 127.0.0.1 Port 8449 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9449 ForceSSLProto tls10 } # Tests for SSL configuration: tls11 only ProxySpec { Proto https Addr 127.0.0.1 Port 8450 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9450 ForceSSLProto tls11 } # Tests for SSL configuration: tls12 only ProxySpec { Proto https Addr 127.0.0.1 Port 8451 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9451 ForceSSLProto tls12 } # Tests for SSL configuration: tls13 only ProxySpec { Proto https Addr 127.0.0.1 Port 8462 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9462 ForceSSLProto tls13 CipherSuites TLS_CHACHA20_POLY1305_SHA256 } # Tests for SSL configuration: Rejects unsupported SSL/TLS proto ProxySpec { Proto https Addr 127.0.0.1 Port 8452 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9452 ForceSSLProto tls10 } ProxySpec { Proto https Addr 127.0.0.1 Port 8453 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9453 ForceSSLProto tls12 } # Tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer ProxySpec http 127.0.0.1 8180 up:8080 127.0.0.1 9180 ProxySpec https 127.0.0.1 8446 up:8080 127.0.0.1 9446 # Tests for HTTP response headers: Public-Key-Pins, Public-Key-Pins-Report-Only, Strict-Transport-Security, Expect-CT, Alternate-Protocol, Upgrade, OCSP request ProxySpec http 127.0.0.1 8181 up:8080 127.0.0.1 9181 ProxySpec https 127.0.0.1 8447 up:8080 127.0.0.1 9447 # Tests for HTTP response headers: Deny OCSP request, remove Accept-Encoding, and do not remove Referer ProxySpec { Proto http Addr 127.0.0.1 Port 8186 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9186 DenyOCSP yes RemoveHTTPAcceptEncoding yes RemoveHTTPReferer no } ProxySpec { Proto https Addr 127.0.0.1 Port 8448 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9448 DenyOCSP yes RemoveHTTPAcceptEncoding yes RemoveHTTPReferer no } # Tests for Passthrough ProxySpec { Proto https Addr 127.0.0.1 Port 8454 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9454 Passthrough yes VerifyPeer yes } # Tests for VerifyPeer ProxySpec https 127.0.0.1 8455 up:8080 127.0.0.1 9455 ProxySpec { Proto https Addr 127.0.0.1 Port 8456 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9456 VerifyPeer yes } # Tests for CACert/CAKey ProxySpec https 127.0.0.1 8457 up:8080 127.0.0.1 9457 ProxySpec { Proto https Addr 127.0.0.1 Port 8458 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9458 CACert ca2.crt CAKey ca2.key } # Tests for UserAuth ProxySpec { Proto http Addr 127.0.0.1 Port 8187 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9187 UserAuth yes } ProxySpec { Proto https Addr 127.0.0.1 Port 8459 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9459 UserAuth yes } # Tests for POP3 ProxySpec { Proto pop3 Addr 127.0.0.1 Port 8188 DivertPort 8110 TargetAddr 127.0.0.1 TargetPort 9188 ValidateProto yes } ProxySpec { Proto pop3s Addr 127.0.0.1 Port 8460 DivertPort 8110 TargetAddr 127.0.0.1 TargetPort 9460 ValidateProto yes } # Tests for SMTP ProxySpec { Proto smtp Addr 127.0.0.1 Port 8189 DivertPort 9199 TargetAddr 127.0.0.1 TargetPort 9189 ValidateProto yes } ProxySpec { Proto smtps Addr 127.0.0.1 Port 8461 DivertPort 9199 TargetAddr 127.0.0.1 TargetPort 9461 ValidateProto yes } # SSLsplit mode tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer ProxySpec http 127.0.0.1 8190 127.0.0.1 9190 ProxySpec https 127.0.0.1 8463 127.0.0.1 9463 # Tests for Divert filtering rules ProxySpec { Proto http Addr 127.0.0.1 Port 8191 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9191 Divert no # Unrelated rules should not have any effect Block from ip 127.0.0.0 Block from ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.0 Block from ip 127.0.0.1 to ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9190 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9190 log connect Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Block * Pass * Split * Match from * Block from * Pass from * Split from * Match from ip * Block from ip * Pass from ip * Split from ip * Match from ip 127.0.0.1 Block from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Match from ip 127.0.0.1 to ip * Block from ip 127.0.0.1 to ip * Pass from ip 127.0.0.1 to ip * Split from ip 127.0.0.1 to ip * Match from ip 127.0.0.1 to ip 127.0.0.1 Block from ip 127.0.0.1 to ip 127.0.0.1 Pass from ip 127.0.0.1 to ip 127.0.0.1 Split from ip 127.0.0.1 to ip 127.0.0.1 Match from ip 127.0.0.1 to ip 127.0.0.1 port * Block from ip 127.0.0.1 to ip 127.0.0.1 port * Pass from ip 127.0.0.1 to ip 127.0.0.1 port * Split from ip 127.0.0.1 to ip 127.0.0.1 port * Match from ip 127.0.0.1 to ip 127.0.0.1 port 9191 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191 Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9191 Split from ip 127.0.0.1 to ip 127.0.0.1 port 9191 # The most specific and the highest precedence action Divert from ip 127.0.0.1 to ip 127.0.0.1 port 9191 } ProxySpec { Proto https Addr 127.0.0.1 Port 8192 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9192 Divert no # Unrelated rules should not have any effect Block from ip 127.0.0.0 Block from ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.0 Block from ip 127.0.0.1 to ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191 log connect Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Block * Pass * Split * Match from * Block from * Pass from * Split from * Match from ip * Block from ip * Pass from ip * Split from ip * Match from ip 127.0.0.1 Block from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Match from ip 127.0.0.1 to ip * Block from ip 127.0.0.1 to ip * Pass from ip 127.0.0.1 to ip * Split from ip 127.0.0.1 to ip * Match from ip 127.0.0.1 to ip 127.0.0.1 Block from ip 127.0.0.1 to ip 127.0.0.1 Pass from ip 127.0.0.1 to ip 127.0.0.1 Split from ip 127.0.0.1 to ip 127.0.0.1 Match from ip 127.0.0.1 to ip 127.0.0.1 port * Block from ip 127.0.0.1 to ip 127.0.0.1 port * Pass from ip 127.0.0.1 to ip 127.0.0.1 port * Split from ip 127.0.0.1 to ip 127.0.0.1 port * Match from ip 127.0.0.1 to ip 127.0.0.1 port 9192 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9192 Split from ip 127.0.0.1 to ip 127.0.0.1 port 9192 # The most specific and the highest precedence action Divert from ip 127.0.0.1 to ip 127.0.0.1 port 9192 } # Tests for Split filtering rules ProxySpec { Proto http Addr 127.0.0.1 Port 8193 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9193 Divert yes # Unrelated rules should not have any effect Block from ip 127.0.0.0 Block from ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.0 Block from ip 127.0.0.1 to ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 log connect Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Block * Pass * Divert * Match from * Block from * Pass from * Divert from * Match from ip * Block from ip * Pass from ip * Divert from ip * Match from ip 127.0.0.1 Block from ip 127.0.0.1 Pass from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to ip * Block from ip 127.0.0.1 to ip * Pass from ip 127.0.0.1 to ip * Divert from ip 127.0.0.1 to ip * Match from ip 127.0.0.1 to ip 127.0.0.1 Block from ip 127.0.0.1 to ip 127.0.0.1 Pass from ip 127.0.0.1 to ip 127.0.0.1 Divert from ip 127.0.0.1 to ip 127.0.0.1 Match from ip 127.0.0.1 to ip 127.0.0.1 port * Block from ip 127.0.0.1 to ip 127.0.0.1 port * Pass from ip 127.0.0.1 to ip 127.0.0.1 port * Divert from ip 127.0.0.1 to ip 127.0.0.1 port * Match from ip 127.0.0.1 to ip 127.0.0.1 port 9193 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9193 # No Divert, because Divert's precedence is higher than Split's # The most specific and the highest precedence action Split from ip 127.0.0.1 to ip 127.0.0.1 port 9193 } ProxySpec { Proto https Addr 127.0.0.1 Port 8194 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9194 Divert yes # Unrelated rules should not have any effect Block from ip 127.0.0.0 Block from ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.0 Block from ip 127.0.0.1 to ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 log connect Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Block * Pass * Divert * Match from * Block from * Pass from * Divert from * Match from ip * Block from ip * Pass from ip * Divert from ip * Match from ip 127.0.0.1 Block from ip 127.0.0.1 Pass from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to ip * Block from ip 127.0.0.1 to ip * Pass from ip 127.0.0.1 to ip * Divert from ip 127.0.0.1 to ip * Match from ip 127.0.0.1 to ip 127.0.0.1 Block from ip 127.0.0.1 to ip 127.0.0.1 Pass from ip 127.0.0.1 to ip 127.0.0.1 Divert from ip 127.0.0.1 to ip 127.0.0.1 Match from ip 127.0.0.1 to ip 127.0.0.1 port * Block from ip 127.0.0.1 to ip 127.0.0.1 port * Pass from ip 127.0.0.1 to ip 127.0.0.1 port * Divert from ip 127.0.0.1 to ip 127.0.0.1 port * Match from ip 127.0.0.1 to ip 127.0.0.1 port 9194 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9194 # No Divert, because Divert's precedence is higher than Split's # The most specific and the highest precedence action Split from ip 127.0.0.1 to ip 127.0.0.1 port 9194 } # Tests for Pass filtering rules ProxySpec { Proto http Addr 127.0.0.1 Port 8195 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9195 Divert yes # Unrelated rules should not have any effect Block from ip 127.0.0.0 Block from ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.0 Block from ip 127.0.0.1 to ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 log connect Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Block * Split * Divert * Match from * Block from * Split from * Divert from * Match from ip * Block from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Block from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to ip * Block from ip 127.0.0.1 to ip * Split from ip 127.0.0.1 to ip * Divert from ip 127.0.0.1 to ip * Match from ip 127.0.0.1 to ip 127.0.0.1 Block from ip 127.0.0.1 to ip 127.0.0.1 Split from ip 127.0.0.1 to ip 127.0.0.1 Divert from ip 127.0.0.1 to ip 127.0.0.1 Match from ip 127.0.0.1 to ip 127.0.0.1 port * Block from ip 127.0.0.1 to ip 127.0.0.1 port * Split from ip 127.0.0.1 to ip 127.0.0.1 port * Divert from ip 127.0.0.1 to ip 127.0.0.1 port * Match from ip 127.0.0.1 to ip 127.0.0.1 port 9195 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 # No Divert or Split, because their precedence is higher than Pass's # The most specific and the highest precedence action Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9195 } ProxySpec { Proto https Addr 127.0.0.1 Port 8196 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9196 Divert yes # Unrelated rules should not have any effect Block from ip 127.0.0.0 Block from ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.0 Block from ip 127.0.0.1 to ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 log connect Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Block * Split * Divert * Match from * Block from * Split from * Divert from * Match from ip * Block from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Block from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to ip * Block from ip 127.0.0.1 to ip * Split from ip 127.0.0.1 to ip * Divert from ip 127.0.0.1 to ip * Match from ip 127.0.0.1 to ip 127.0.0.1 Block from ip 127.0.0.1 to ip 127.0.0.1 Split from ip 127.0.0.1 to ip 127.0.0.1 Divert from ip 127.0.0.1 to ip 127.0.0.1 Match from ip 127.0.0.1 to ip 127.0.0.1 port * Block from ip 127.0.0.1 to ip 127.0.0.1 port * Split from ip 127.0.0.1 to ip 127.0.0.1 port * Divert from ip 127.0.0.1 to ip 127.0.0.1 port * Match from ip 127.0.0.1 to ip 127.0.0.1 port 9196 Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196 # No Divert or Split, because their precedence is higher than Pass's # The most specific and the highest precedence action Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196 } # Tests for Block filtering rules ProxySpec { Proto http Addr 127.0.0.1 Port 8197 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9197 Divert yes # Unrelated rules should not have any effect Pass from ip 127.0.0.0 Pass from ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.0 Pass from ip 127.0.0.1 to ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196 Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9198 Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196 log connect Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9198 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Pass * Split * Divert * Match from * Pass from * Split from * Divert from * Match from ip * Pass from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to ip * Pass from ip 127.0.0.1 to ip * Split from ip 127.0.0.1 to ip * Divert from ip 127.0.0.1 to ip * Match from ip 127.0.0.1 to ip 127.0.0.1 Pass from ip 127.0.0.1 to ip 127.0.0.1 Split from ip 127.0.0.1 to ip 127.0.0.1 Divert from ip 127.0.0.1 to ip 127.0.0.1 Match from ip 127.0.0.1 to ip 127.0.0.1 port * Pass from ip 127.0.0.1 to ip 127.0.0.1 port * Split from ip 127.0.0.1 to ip 127.0.0.1 port * Divert from ip 127.0.0.1 to ip 127.0.0.1 port * Match from ip 127.0.0.1 to ip 127.0.0.1 port 9197 # No Divert, Split, or Pass, because their precedence is higher than Block's # The most specific and the highest precedence action Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197 } ProxySpec { Proto https Addr 127.0.0.1 Port 8198 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9198 Divert yes # Unrelated rules should not have any effect Pass from ip 127.0.0.0 Pass from ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.0 Pass from ip 127.0.0.1 to ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9197 Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9199 Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9197 log connect Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9199 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Pass * Split * Divert * Match from * Pass from * Split from * Divert from * Match from ip * Pass from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to ip * Pass from ip 127.0.0.1 to ip * Split from ip 127.0.0.1 to ip * Divert from ip 127.0.0.1 to ip * Match from ip 127.0.0.1 to ip 127.0.0.1 Pass from ip 127.0.0.1 to ip 127.0.0.1 Split from ip 127.0.0.1 to ip 127.0.0.1 Divert from ip 127.0.0.1 to ip 127.0.0.1 Match from ip 127.0.0.1 to ip 127.0.0.1 port * Pass from ip 127.0.0.1 to ip 127.0.0.1 port * Split from ip 127.0.0.1 to ip 127.0.0.1 port * Divert from ip 127.0.0.1 to ip 127.0.0.1 port * Match from ip 127.0.0.1 to ip 127.0.0.1 port 9198 # No Divert, Split, or Pass, because their precedence is higher than Block's # The most specific and the highest precedence action Block from ip 127.0.0.1 to ip 127.0.0.1 port 9198 } # Tests for SNI filtering rules ProxySpec { Proto https Addr 127.0.0.1 Port 8200 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9200 Divert no # Unrelated rules should not have any effect Block from ip 127.0.0.0 Block from ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.0 Block from ip 127.0.0.1 to ip 127.0.0.2 Block from ip 127.0.0.1 to sni comixwall.org port 9199 Block from ip 127.0.0.1 to sni comixwall.org port 9201 Block from ip 127.0.0.1 to sni comixwall.org port 9199 log connect Block from ip 127.0.0.1 to sni comixwall.org port 9201 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Block * Pass * Split * Match from * Block from * Pass from * Split from * Match from ip * Block from ip * Pass from ip * Split from ip * Match from ip 127.0.0.1 Block from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Match from ip 127.0.0.1 to ip * Block from ip 127.0.0.1 to ip * Pass from ip 127.0.0.1 to ip * Split from ip 127.0.0.1 to ip * Match from ip 127.0.0.1 to sni comixwall.org Block from ip 127.0.0.1 to sni comixwall.org Pass from ip 127.0.0.1 to sni comixwall.org Split from ip 127.0.0.1 to sni comixwall.org Match from ip 127.0.0.1 to sni comixwall.org port * Block from ip 127.0.0.1 to sni comixwall.org port * Pass from ip 127.0.0.1 to sni comixwall.org port * Split from ip 127.0.0.1 to sni comixwall.org port * Match from ip 127.0.0.1 to sni comixwall.org port 9200 Block from ip 127.0.0.1 to sni comixwall.org port 9200 Pass from ip 127.0.0.1 to sni comixwall.org port 9200 Split from ip 127.0.0.1 to sni comixwall.org port 9200 # The most specific and the highest precedence action Divert from ip 127.0.0.1 to sni comixwall.org port 9200 } ProxySpec { Proto https Addr 127.0.0.1 Port 8201 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9201 Divert no # Unrelated rules should not have any effect Block from ip 127.0.0.0 Block from ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.0 Block from ip 127.0.0.1 to ip 127.0.0.2 Block from ip 127.0.0.1 to sni comixwall.org port 9200 Block from ip 127.0.0.1 to sni comixwall.org port 9202 Block from ip 127.0.0.1 to sni comixwall.org port 9200 log connect Block from ip 127.0.0.1 to sni comixwall.org port 9202 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Block * Pass * Split * Match from * Block from * Pass from * Split from * Match from ip * Block from ip * Pass from ip * Split from ip * Match from ip 127.0.0.1 Block from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Match from ip 127.0.0.1 to ip * Block from ip 127.0.0.1 to ip * Pass from ip 127.0.0.1 to ip * Split from ip 127.0.0.1 to ip * Match from ip 127.0.0.1 to sni comixwall.org Block from ip 127.0.0.1 to sni comixwall.org Pass from ip 127.0.0.1 to sni comixwall.org Split from ip 127.0.0.1 to sni comixwall.org Match from ip 127.0.0.1 to sni comixwall.org port * Block from ip 127.0.0.1 to sni comixwall.org port * Pass from ip 127.0.0.1 to sni comixwall.org port * Split from ip 127.0.0.1 to sni comixwall.org port * Match from ip 127.0.0.1 to sni comixwall.org port 9201 Block from ip 127.0.0.1 to sni comixwall.org port 9201 Pass from ip 127.0.0.1 to sni comixwall.org port 9201 Split from ip 127.0.0.1 to sni comixwall.org port 9201 # The most specific and the highest precedence action Divert from ip 127.0.0.1 to sni comixwall.org port 9201 } # Tests for Common Names filtering rules ProxySpec { Proto https Addr 127.0.0.1 Port 8202 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9202 Divert yes # Unrelated rules should not have any effect Block from ip 127.0.0.0 Block from ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.0 Block from ip 127.0.0.1 to ip 127.0.0.2 Block from ip 127.0.0.1 to cn comixwall.org port 9201 Block from ip 127.0.0.1 to cn comixwall.org port 9203 Block from ip 127.0.0.1 to cn comixwall.org port 9201 log connect Block from ip 127.0.0.1 to cn comixwall.org port 9203 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Block * Pass * Split * Match from * Block from * Pass from * Split from * Match from ip * Block from ip * Pass from ip * Split from ip * Match from ip 127.0.0.1 Block from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Match from ip 127.0.0.1 to cn * Block from ip 127.0.0.1 to cn * Pass from ip 127.0.0.1 to cn * Split from ip 127.0.0.1 to cn * Match from ip 127.0.0.1 to cn comixwall.org Block from ip 127.0.0.1 to cn comixwall.org Pass from ip 127.0.0.1 to cn comixwall.org Split from ip 127.0.0.1 to cn comixwall.org Match from ip 127.0.0.1 to cn comixwall.org port * Block from ip 127.0.0.1 to cn comixwall.org port * Pass from ip 127.0.0.1 to cn comixwall.org port * Split from ip 127.0.0.1 to cn comixwall.org port * Match from ip 127.0.0.1 to cn comixwall.org port 9202 Block from ip 127.0.0.1 to cn comixwall.org port 9202 # The most specific and the highest precedence action # log action increases precedence, but cannot override filter action, # so no Split or Divert filter actions, with or without log action Pass from ip 127.0.0.1 to cn comixwall.org port 9202 log connect } ProxySpec { Proto https Addr 127.0.0.1 Port 8203 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9203 Divert yes # Unrelated rules should not have any effect Block from ip 127.0.0.0 Block from ip 127.0.0.2 Block from ip 127.0.0.1 to ip 127.0.0.0 Block from ip 127.0.0.1 to ip 127.0.0.2 Block from ip 127.0.0.1 to cn comixwall.org port 9202 Block from ip 127.0.0.1 to cn comixwall.org port 9204 Block from ip 127.0.0.1 to cn comixwall.org port 9202 log connect Block from ip 127.0.0.1 to cn comixwall.org port 9204 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Block * Pass * Split * Match from * Block from * Pass from * Split from * Match from ip * Block from ip * Pass from ip * Split from ip * Match from ip 127.0.0.1 Block from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Match from ip 127.0.0.1 to cn * Block from ip 127.0.0.1 to cn * Pass from ip 127.0.0.1 to cn * Split from ip 127.0.0.1 to cn * Match from ip 127.0.0.1 to cn comixwall.org Block from ip 127.0.0.1 to cn comixwall.org Pass from ip 127.0.0.1 to cn comixwall.org Split from ip 127.0.0.1 to cn comixwall.org Match from ip 127.0.0.1 to cn comixwall.org port * Block from ip 127.0.0.1 to cn comixwall.org port * Pass from ip 127.0.0.1 to cn comixwall.org port * Split from ip 127.0.0.1 to cn comixwall.org port * Match from ip 127.0.0.1 to cn comixwall.org port 9203 Block from ip 127.0.0.1 to cn comixwall.org port 9203 Pass from ip 127.0.0.1 to cn comixwall.org port 9203 Split from ip 127.0.0.1 to cn comixwall.org port 9203 # The second most specific rule, correct CN Divert from ip 127.0.0.1 to cn comixwall.org port 9203 # The most specific and the highest precedence action, wrong CN Pass from ip 127.0.0.1 to cn comixwall2.org port 9203 log connect } # Tests for Host filtering rules ProxySpec { Proto http Addr 127.0.0.1 Port 8204 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9204 Divert yes # Unrelated rules should not have any effect Pass from ip 127.0.0.0 Pass from ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.0 Pass from ip 127.0.0.1 to ip 127.0.0.2 Pass from ip 127.0.0.1 to host example.com port 8203 Pass from ip 127.0.0.1 to host example.com port 9205 Pass from ip 127.0.0.1 to host example.com port 8203 log connect Pass from ip 127.0.0.1 to host example.com port 9205 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Pass * Split * Divert * Match from * Pass from * Split from * Divert from * Match from ip * Pass from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to host * Pass from ip 127.0.0.1 to host * Split from ip 127.0.0.1 to host * Divert from ip 127.0.0.1 to host * Match from ip 127.0.0.1 to host example.com Pass from ip 127.0.0.1 to host example.com Split from ip 127.0.0.1 to host example.com Divert from ip 127.0.0.1 to host example.com Match from ip 127.0.0.1 to host example.com port * Pass from ip 127.0.0.1 to host example.com port * Split from ip 127.0.0.1 to host example.com port * Divert from ip 127.0.0.1 to host example.com port * Match from ip 127.0.0.1 to host example.com port 9204 # No Divert, Split, or Pass, because their precedence is higher than Block's # The most specific and the highest precedence action Block from ip 127.0.0.1 to host example.com port 9204 } ProxySpec { Proto https Addr 127.0.0.1 Port 8205 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9205 Divert yes # Unrelated rules should not have any effect Pass from ip 127.0.0.0 Pass from ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.0 Pass from ip 127.0.0.1 to ip 127.0.0.2 Pass from ip 127.0.0.1 to host example.com port 8204 Pass from ip 127.0.0.1 to host example.com port 9206 Pass from ip 127.0.0.1 to host example.com port 8204 log connect Pass from ip 127.0.0.1 to host example.com port 9206 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Pass * Split * Divert * Match from * Pass from * Split from * Divert from * Match from ip * Pass from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to host * Pass from ip 127.0.0.1 to host * Split from ip 127.0.0.1 to host * Divert from ip 127.0.0.1 to host * Match from ip 127.0.0.1 to host example.com Pass from ip 127.0.0.1 to host example.com Split from ip 127.0.0.1 to host example.com Divert from ip 127.0.0.1 to host example.com Match from ip 127.0.0.1 to host example.com port * Pass from ip 127.0.0.1 to host example.com port * Split from ip 127.0.0.1 to host example.com port * Divert from ip 127.0.0.1 to host example.com port * Match from ip 127.0.0.1 to host example.com port 9205 # No Divert, Split, or Pass, because their precedence is higher than Block's # The most specific and the highest precedence action Block from ip 127.0.0.1 to host example.com port 9205 } ProxySpec { Proto http Addr 127.0.0.1 Port 8206 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9206 Divert yes # Unrelated rules should not have any effect Pass from ip 127.0.0.0 Pass from ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.0 Pass from ip 127.0.0.1 to ip 127.0.0.2 Pass from ip 127.0.0.1 to host example.com port 8205 Pass from ip 127.0.0.1 to host example.com port 9207 Pass from ip 127.0.0.1 to host example.com port 8205 log connect Pass from ip 127.0.0.1 to host example.com port 9207 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Pass * Split * Divert * Match from * Pass from * Split from * Divert from * Match from ip * Pass from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to host * Pass from ip 127.0.0.1 to host * Split from ip 127.0.0.1 to host * Divert from ip 127.0.0.1 to host * Match from ip 127.0.0.1 to host example.com Pass from ip 127.0.0.1 to host example.com Split from ip 127.0.0.1 to host example.com Divert from ip 127.0.0.1 to host example.com Match from ip 127.0.0.1 to host example.com port * Pass from ip 127.0.0.1 to host example.com port * Split from ip 127.0.0.1 to host example.com port * Divert from ip 127.0.0.1 to host example.com port * Match from ip 127.0.0.1 to host example.com port 9206 # No Divert, Split, or Pass, because their precedence is higher than Block's # The most specific and the highest precedence action Block from ip 127.0.0.1 to host example.com port 9206 } ProxySpec { Proto https Addr 127.0.0.1 Port 8207 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9207 Divert yes # Unrelated rules should not have any effect Pass from ip 127.0.0.0 Pass from ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.0 Pass from ip 127.0.0.1 to ip 127.0.0.2 Pass from ip 127.0.0.1 to host example.com port 8206 Pass from ip 127.0.0.1 to host example.com port 9208 Pass from ip 127.0.0.1 to host example.com port 8206 log connect Pass from ip 127.0.0.1 to host example.com port 9208 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Pass * Split * Divert * Match from * Pass from * Split from * Divert from * Match from ip * Pass from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to host * Pass from ip 127.0.0.1 to host * Split from ip 127.0.0.1 to host * Divert from ip 127.0.0.1 to host * Match from ip 127.0.0.1 to host example.com Pass from ip 127.0.0.1 to host example.com Split from ip 127.0.0.1 to host example.com Divert from ip 127.0.0.1 to host example.com Match from ip 127.0.0.1 to host example.com port * Pass from ip 127.0.0.1 to host example.com port * Split from ip 127.0.0.1 to host example.com port * Divert from ip 127.0.0.1 to host example.com port * Match from ip 127.0.0.1 to host example.com port 9207 # No Divert, Split, or Pass, because their precedence is higher than Block's # The most specific and the highest precedence action Block from ip 127.0.0.1 to host example.com port 9207 } # Tests for URI filtering rules ProxySpec { Proto http Addr 127.0.0.1 Port 8208 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9208 Divert yes # Unrelated rules should not have any effect Pass from ip 127.0.0.0 Pass from ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.0 Pass from ip 127.0.0.1 to ip 127.0.0.2 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8207 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8207 log connect Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Pass * Split * Divert * Match from * Pass from * Split from * Divert from * Match from ip * Pass from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to uri * Pass from ip 127.0.0.1 to uri * Split from ip 127.0.0.1 to uri * Divert from ip 127.0.0.1 to uri * Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9208 # No Divert, Split, or Pass, because their precedence is higher than Block's # The most specific and the highest precedence action Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9208 } ProxySpec { Proto https Addr 127.0.0.1 Port 8209 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9209 Divert yes # Unrelated rules should not have any effect Pass from ip 127.0.0.0 Pass from ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.0 Pass from ip 127.0.0.1 to ip 127.0.0.2 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8208 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8208 log connect Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Pass * Split * Divert * Match from * Pass from * Split from * Divert from * Match from ip * Pass from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to uri * Pass from ip 127.0.0.1 to uri * Split from ip 127.0.0.1 to uri * Divert from ip 127.0.0.1 to uri * Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209 # No Divert, Split, or Pass, because their precedence is higher than Block's # The most specific and the highest precedence action Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209 } ProxySpec { Proto http Addr 127.0.0.1 Port 8210 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9210 Divert yes # Unrelated rules should not have any effect Pass from ip 127.0.0.0 Pass from ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.0 Pass from ip 127.0.0.1 to ip 127.0.0.2 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8209 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8209 log connect Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Pass * Split * Divert * Match from * Pass from * Split from * Divert from * Match from ip * Pass from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to uri * Pass from ip 127.0.0.1 to uri * Split from ip 127.0.0.1 to uri * Divert from ip 127.0.0.1 to uri * Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210 # No Divert, Split, or Pass, because their precedence is higher than Block's # The most specific and the highest precedence action Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210 } ProxySpec { Proto https Addr 127.0.0.1 Port 8211 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9211 Divert yes # Unrelated rules should not have any effect Pass from ip 127.0.0.0 Pass from ip 127.0.0.2 Pass from ip 127.0.0.1 to ip 127.0.0.0 Pass from ip 127.0.0.1 to ip 127.0.0.2 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8210 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9212 Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8210 log connect Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9212 log connect # Lower precedence actions should not change filter action # Less specific rules should not change filter action Match * Pass * Split * Divert * Match from * Pass from * Split from * Divert from * Match from ip * Pass from ip * Split from ip * Divert from ip * Match from ip 127.0.0.1 Pass from ip 127.0.0.1 Split from ip 127.0.0.1 Divert from ip 127.0.0.1 Match from ip 127.0.0.1 to uri * Pass from ip 127.0.0.1 to uri * Split from ip 127.0.0.1 to uri * Divert from ip 127.0.0.1 to uri * Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port * Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211 # No Divert, Split, or Pass, because their precedence is higher than Block's # The most specific and the highest precedence action Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211 } # Tests for structured filtering rules ProxySpec { Proto https Addr 127.0.0.1 Port 8212 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9212 Divert yes # FilterRule below should override these options DenyOCSP no Passthrough yes CACert ca2.crt CAKey ca2.key #ClientCert /etc/sslproxy/client.crt #ClientKey /etc/sslproxy/client.key #CAChain /etc/sslproxy/chain.crt #LeafCRLURL http://example.com/example.crl #DHGroupParams /etc/sslproxy/dh.pem #ECDHCurve prime256v1 SSLCompression yes ForceSSLProto tls12 DisableSSLProto tls13 MinSSLProto tls11 MaxSSLProto tls12 Ciphers LOW CipherSuites TLS_AES_128_CCM_SHA256 RemoveHTTPAcceptEncoding no RemoveHTTPReferer no VerifyPeer yes AllowWrongHost yes UserAuth yes #UserTimeout 300 #UserAuthURL https://192.168.0.1/userdblogin.php ValidateProto no MaxHTTPHeaderSize 2048 FilterRule { Action Match SrcIp 127.0.0.1 DstIp 127.0.0.1 DstPort 9212 Log connect DenyOCSP yes Passthrough no CACert ca.crt CAKey ca.key #ClientCert /etc/sslproxy/client.crt #ClientKey /etc/sslproxy/client.key #CAChain /etc/sslproxy/chain.crt #LeafCRLURL http://example.com/example.crl #DHGroupParams /etc/sslproxy/dh.pem ECDHCurve prime256v1 SSLCompression no ForceSSLProto tls13 EnableSSLProto tls13 MinSSLProto tls10 MaxSSLProto tls13 Ciphers MEDIUM:HIGH CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 RemoveHTTPAcceptEncoding yes RemoveHTTPReferer yes VerifyPeer no AllowWrongHost no UserAuth no #UserTimeout 300 #UserAuthURL https://192.168.0.1/userdblogin.php ValidateProto yes MaxHTTPHeaderSize 8192 } } ProxySpec { Proto https Addr 127.0.0.1 Port 8213 DivertPort 8080 TargetAddr 127.0.0.1 TargetPort 9213 Divert yes # FilterRule below should override these options DenyOCSP no Passthrough yes CACert ca2.crt CAKey ca2.key #ClientCert /etc/sslproxy/client.crt #ClientKey /etc/sslproxy/client.key #CAChain /etc/sslproxy/chain.crt #LeafCRLURL http://example.com/example.crl #DHGroupParams /etc/sslproxy/dh.pem #ECDHCurve prime256v1 SSLCompression yes ForceSSLProto tls12 DisableSSLProto tls13 MinSSLProto tls11 MaxSSLProto tls12 Ciphers MEDIUM:HIGH CipherSuites TLS_AES_128_CCM_SHA256 RemoveHTTPAcceptEncoding no RemoveHTTPReferer no #VerifyPeer yes AllowWrongHost yes #UserAuth yes #UserTimeout 300 #UserAuthURL https://192.168.0.1/userdblogin.php ValidateProto no MaxHTTPHeaderSize 2048 FilterRule { Action Match SrcIp 127.0.0.1 CN comixwall.org DstPort 9213 Log connect # Reconnect srvdst to apply the SSL config in this rule ReconnectSSL yes DenyOCSP yes Passthrough no CACert ca.crt CAKey ca.key #ClientCert /etc/sslproxy/client.crt #ClientKey /etc/sslproxy/client.key #CAChain /etc/sslproxy/chain.crt #LeafCRLURL http://example.com/example.crl #DHGroupParams /etc/sslproxy/dh.pem ECDHCurve prime256v1 SSLCompression no ForceSSLProto tls13 EnableSSLProto tls13 MinSSLProto tls10 MaxSSLProto tls13 Ciphers MEDIUM:HIGH CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256 RemoveHTTPAcceptEncoding yes RemoveHTTPReferer yes VerifyPeer no AllowWrongHost no UserAuth no #UserTimeout 300 #UserAuthURL https://192.168.0.1/userdblogin.php ValidateProto yes MaxHTTPHeaderSize 8192 } } # Autossl tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer ProxySpec autossl 127.0.0.1 8214 up:8080 127.0.0.1 9214 ProxySpec autossl 127.0.0.1 8215 127.0.0.1 9215