Archives
/
SSLproxy
mirror of https://github.com/sonertari/SSLproxy
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
develop
master
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.7.0
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd2e9ab4487'
${ noResults }
SSLproxy/sslproxy.conf

138 lines
4.0 KiB
Plaintext
Raw Blame History

# This is the SSLproxy configuration file
# Use CA cert (and key) to sign forged certs
CACert /etc/sslproxy/ca.crt
# Use CA key (and cert) to sign forged certs
CAKey /etc/sslproxy/ca.key
# Use cert from pemfile when destination requests client certs
#ClientCert /etc/sslproxy/client.crt
# Use key from pemfile when destination requests client certs
#ClientKey /etc/sslproxy/client.key
# Use CA chain from pemfile (intermediate and root CA certs)
#CAChain /etc/sslproxy/chain.crt
# Use key from pemfile for leaf certs (default: generate)
#LeafCerts /etc/sslproxy/leaf.key
# Use URL as CRL distribution point for all forged certs
#CRL http://example.com
# Use cert+chain+key PEM files from certdir to target all sites
# matching the common names (non-matching: generate if CA)
#TargetCertDir /etc/sslproxy/target
# Write leaf key and only generated certificates to gendir
#WriteGenCertsDir /var/run/sslproxy
# Write leaf key and all certificates to gendir
#WriteAllCertsDir /var/run/sslproxy
# Deny all OCSP requests on all proxyspecs
#DenyOCSP yes
# Passthrough SSL connections if they cannot be split because of
# client cert auth or no matching cert and no CA (default: drop)
#Passthrough yes
# Use DH group params from pemfile (default: keyfiles or auto)
#DHGroupParams /etc/sslproxy/dh.pem
# Use ECDH named curve (default: prime256v1)
#ECDHCurve prime256v1
# Enable/disable SSL/TLS compression on all connections
#SSLCompression no
# Force SSL/TLS protocol version only (default: all)
#ForceSSLProto tls12
# Disable SSL/TLS protocol version (default: none)
#DisableSSLProto tls10
# Use the given OpenSSL cipher suite spec (default: ALL:-aNULL)
Ciphers ALL:!RC4
# OpenSSL engine to activate, either ID or full path to shared library
#OpenSSLEngine cloudhsm
# Specify default NAT engine to use
#NATEngine netfilter
# Drop privileges to user and group (default if run as root: nobody)
User _sslproxy
Group _sslproxy
# chroot() to jaildir (impacts sni proxyspecs, see manual page)
#Chroot /var/run/sslproxy
# Write pid to pidfile (default: no pid file)
PidFile /var/run/sslproxy.pid
# Connect log: log one line summary per connection to logfile
#ConnectLog /var/log/sslproxy/connect.log
# Content log: full data to file or named pipe (excludes ContentLogDir/ContentLogPathSpec)
#ContentLog /var/log/sslproxy/content.log
# Content log: full data to separate files in dir (excludes ContentLog/ContentLogPathSpec)
#ContentLogDir /var/log/sslproxy/content
# Content log: full data to sep files with % subst (excludes ContentLog/ContentLogDir)
#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log
# Look up local process owning each connection for logging
#LogProcInfo yes
# Log master keys to logfile in SSLKEYLOGFILE format
#MasterKeyLog /var/log/sslproxy/masterkeys.log
# Daemon mode: run in background, log error messages to syslog
Daemon yes
# Debug mode: run in foreground, log debug messages on stderr
#Debug yes
# Verbose debug level
#DebugLevel 4
# Close connections after this many seconds of idle time
ConnIdleTimeout 120
# Check for expired connections every this many seconds
ExpiredConnCheckPeriod 10
# Retry to shut ssl conns down after this many micro seconds
# Increasing this delay may avoid dirty shutdowns on slow connections,
# but increases resource usage, such as file desriptors and memory
SSLShutdownRetryDelay 100
# Log statistics to syslog
LogStats yes
# Log statistics every this many ExpiredConnCheckPeriod periods
StatsPeriod 1
# Remove HTTP header line for Accept-Encoding
RemoveHTTPAcceptEncoding no
# Remove HTTP header line for Referer
RemoveHTTPReferer yes
# Verify peer using default certificates
VerifyPeer yes
# When disabled, never add the SNI to forged certificates, even if the SNI
# provided by the client does not match the server certificate's CN/SAN.
# Helps pass the wrong.host test at https://badssl.com.
AllowWrongHost no
# Proxy specifications
# type listenaddr+port up:utmport
ProxySpec https 127.0.0.1 8443 up:8080
ProxySpec pop3s 127.0.0.1 8995 up:8110
ProxySpec smtps 127.0.0.1 8465 up:9199
Reference in New Issue View Git Blame Copy Permalink