Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
develop
master
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'af27340889'
${ noResults }
SSLproxy/src/sslproxy.conf

313 lines
8.6 KiB
Plaintext
Raw Blame History

# Sample configuration for sslproxy v0.8.0
#
# Use the -f command line option to start sslproxy with a config file.
# See sslproxy.conf(5) and sslproxy(1) for documentation.
# Use CA cert (and key) to sign forged certs.
# Equivalent to -c command line option.
CACert /etc/sslproxy/ca.crt
# Use CA key (and cert) to sign forged certs.
# Equivalent to -k command line option.
CAKey /etc/sslproxy/ca.key
# Use cert from pemfile when destination requests client certs.
# Equivalent to -a command line option.
#ClientCert /etc/sslproxy/client.crt
# Use key from pemfile when destination requests client certs.
# Equivalent to -b command line option.
#ClientKey /etc/sslproxy/client.key
# Use CA chain from pemfile (intermediate and root CA certs).
# Equivalent to -C command line option.
#CAChain /etc/sslproxy/chain.crt
# Use key from pemfile for leaf certs.
# Equivalent to -K command line option.
# (default: generate)
#LeafKey /etc/sslproxy/leaf.key
# Use URL as CRL distribution point for all forged certs.
# Equivalent to -q command line option.
#LeafCRLURL http://example.com/example.crl
# Use cert+chain+key PEM files from certdir to target all sites matching the
# common names (non-matching: generate if CA).
# Equivalent to -t command line option.
#LeafCertDir /etc/sslproxy/leaf.d
# Use cert+chain+key from PEM file instead of generating leaf keys on the fly.
# Equivalent to -A command line option.
#DefaultLeafCert /etc/sslproxy/leaf.pem
# Write leaf key and only generated certificates to gendir.
# Equivalent to -w command line option.
#WriteGenCertsDir /var/log/sslproxy
# Write leaf key and all certificates to gendir.
# Equivalent to -W command line option.
#WriteAllCertsDir /var/log/sslproxy
# Deny all OCSP requests on all proxyspecs.
# Equivalent to -O command line option.
#DenyOCSP yes
# Passthrough SSL connections if they cannot be split because of client cert
# auth or no matching cert and no CA.
# Equivalent to -P command line option.
# (default: drop)
#Passthrough yes
# Use DH group params from pemfile.
# Equivalent to -g command line option.
# (default: keyfiles or auto)
#DHGroupParams /etc/sslproxy/dh.pem
# Use ECDH named curve.
# Equivalent to -G command line option.
# (default: prime256v1)
#ECDHCurve prime256v1
# Enable/disable SSL/TLS compression on all connections.
# Equivalent to -Z command line option.
#SSLCompression no
# Force SSL/TLS protocol version only.
# Equivalent to -r command line option.
# (default: all)
#ForceSSLProto tls12
# Disable SSL/TLS protocol version.
# Equivalent to -R command line option.
# (default: none)
#DisableSSLProto tls10
# Min SSL/TLS protocol version.
# (default: tls10)
#MinSSLProto tls10
# Max SSL/TLS protocol version.
# (default: tls12)
#MaxSSLProto tls12
# Use the given OpenSSL ciphers spec.
# Equivalent to -s command line option.
# (default: ALL:-aNULL)
#Ciphers MEDIUM:HIGH
# Use the given OpenSSL ciphersuites spec.
# The ciphersuites spec is for TLS 1.3.
# Equivalent to -U command line option.
# (default: ALL:-aNULL)
#CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
# Leaf key RSA keysize in bits, use 1024|2048|3072|4096.
# (default: 2048)
#LeafKeyRSABits 2048
# OpenSSL engine to activate, either ID or full path to shared library
# Equivalent to -x command line option
#OpenSSLEngine cloudhsm
# Specify default NAT engine to use.
# Equivalent to -e command line option.
#NATEngine netfilter
# Drop privileges to user.
# Equivalent to -u command line option.
# (default: nobody, if run as root)
#User _sslproxy
# Drop privileges to group.
# Equivalent to -m command line option.
# (default: primary group of user)
#Group _sslproxy
# chroot() to jaildir (impacts sni proxyspecs, see sslproxy(1)).
# Equivalent to -j command line option.
#Chroot /var/run/sslproxy
# Write pid to file.
# Equivalent to -p command line option.
# (default: no pid file)
PidFile /var/run/sslproxy.pid
# Connect log: log one line summary per connection to logfile.
# Equivalent to -l command line option.
#ConnectLog /var/log/sslproxy/connect.log
# Content log: full data to file or named pipe
# (excludes ContentLogDir/ContentLogPathSpec).
# Equivalent to -L command line option.
#ContentLog /var/log/sslproxy/content.log
# Content log: full data to separate files in dir
# (excludes ContentLog/ContentLogPathSpec).
# Equivalent to -S command line option.
#ContentLogDir /var/log/sslproxy/content
# Content log: full data to sep files with % subst
# (excludes ContentLog/ContentLogDir).
# Equivalent to -F command line option.
#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log
# Look up local process owning each connection for logging.
# Equivalent to -i command line option.
#LogProcInfo yes
# Pcap log: packets to pcapfile (excludes PcapLogDir/PcapLogPathSpec).
# Equivalent to -X command line option.
#PcapLog /var/log/sslproxy/content.pcap
# Pcap log: packets to separate files in dir
# (excludes PcapLog/PcapLogPathSpec).
# Equivalent to -Y command line option.
#PcapLogDir /var/log/sslproxy/pcap
# Pcap log: packets to sep files with % subst (excludes PcapLog/PcapLogDir).
# Equivalent to -y command line option.
#PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap
# Mirror packets to interface.
# Equivalent to -I command line option.
#MirrorIf lo
# Mirror packets to target address (used with MirrorIf).
# Equivalent to -T command line option.
#MirrorTarget 192.0.2.1
# Log master keys to logfile in SSLKEYLOGFILE format.
# Equivalent to -M command line option.
#MasterKeyLog /var/log/sslproxy/masterkeys.log
# Daemon mode: run in background, log error messages to syslog.
# Equivalent to -d command line option.
Daemon yes
# Debug mode: run in foreground, log debug messages on stderr.
# Equivalent to -D command line option.
#Debug yes
# Verbose debug level
#DebugLevel 4
# Close connections after this many seconds of idle time
ConnIdleTimeout 120
# Check for expired connections every this many seconds
ExpiredConnCheckPeriod 10
# Log statistics to syslog
# Equivalent to -J command line option.
LogStats yes
# Log statistics every this many ExpiredConnCheckPeriod periods
StatsPeriod 1
# Remove HTTP header line for Accept-Encoding
RemoveHTTPAcceptEncoding no
# Remove HTTP header line for Referer
RemoveHTTPReferer yes
# Verify peer using default certificates
VerifyPeer yes
# When disabled, never add the SNI to forged certificates, even if the SNI
# provided by the client does not match the server certificate's CN/SAN.
# Helps pass the wrong.host test at https://badssl.com.
AllowWrongHost no
# Require authentication for users to use SSLproxy
#UserAuth no
# Path to user db file
#UserDBPath /var/db/users.db
# Time users out after this many seconds of idle time
#UserTimeout 300
# Redirect URL for users to log in to the system
#UserAuthURL https://192.168.0.1/userdblogin.php
# Validate proxy spec protocols
#ValidateProto no
# Max HTTP header size in bytes for protocol validation
#MaxHTTPHeaderSize 8192
# Set open files limit, use 50-10000
#OpenFilesLimit 1024
# Passthrough sites
# site [(clientaddr|(user|*) [description keyword])]
#PassSite example.com
#PassSite example.com 192.168.0.1
#PassSite example.com soner
#PassSite *.google.com * android
# One line proxy specifications
# type listenaddr+port up:utmport [ua:utmaddr ra:returnaddr]
#ProxySpec https 127.0.0.1 8443 up:8080 [ua:127.0.0.1 ra:127.0.0.1]
ProxySpec https 127.0.0.1 8443 up:8080
ProxySpec pop3s 127.0.0.1 8995 up:8110
ProxySpec smtps 127.0.0.1 8465 up:9199
# Structured proxy specifications
# Global config is cloned into all proxyspecs first
# Each proxyspec can override its cloned global config
ProxySpec {
Proto https
# Listen address
Addr 127.0.0.1
# Listen port
Port 8444
# Divert address defaults to 127.0.0.1, if not specified
# Equivalent to ua
DivertAddr 127.0.0.1
# Equivalent to up
DivertPort 8080
# Return address defaults to 127.0.0.1, if not specified
# Equivalent to ra
ReturnAddr 127.0.0.1
# Specify nat, sni, or target config
#NatEngine netfilter
#SNIPort 443
#TargetAddr 127.0.0.1
#TargetPort 9443
DenyOCSP yes
Passthrough no
# Proxyspec specific SSL/TLS config, overrides the cloned global config
#CACert ca.crt
#CAKey ca.key
#ClientCert client.crt
#ClientKey client.key
#CAChain chain.crt
#DHGroupParams dh.pem
#ECDHCurve prime256v1
#SSLCompression no
#ForceSSLProto tls12
#DisableSSLProto tls10
#MinSSLProto tls10
#MaxSSLProto tls12
#Ciphers MEDIUM:HIGH
#CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
RemoveHTTPAcceptEncoding no
RemoveHTTPReferer yes
VerifyPeer yes
UserAuth yes
UserTimeout 300
UserAuthURL https://192.168.0.1/userdblogin.php
ValidateProto yes
# Proxyspec specific passsites are appended to the cloned global passsites
PassSite example2.com
}
Reference in New Issue View Git Blame Copy Permalink