mirror of https://github.com/sonertari/SSLproxy
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1758 lines
45 KiB
Plaintext
1758 lines
45 KiB
Plaintext
# TestProxy test configuration for sslproxy v0.9.5
|
|
|
|
# Global options
|
|
#User _sslproxy
|
|
#Group _sslproxy
|
|
#Chroot /var/run/sslproxy
|
|
PidFile /var/run/sslproxy.pid
|
|
#Daemon yes
|
|
Debug yes
|
|
DebugLevel 4
|
|
#OpenFilesLimit 1024
|
|
#LeafKey /etc/sslproxy/leaf.key
|
|
#LeafKeyRSABits 2048
|
|
#LeafCertDir /etc/sslproxy/leaf.d
|
|
#DefaultLeafCert /etc/sslproxy/leaf.pem
|
|
#WriteGenCertsDir /var/log/sslproxy
|
|
#WriteAllCertsDir /var/log/sslproxy
|
|
#OpenSSLEngine cloudhsm
|
|
#ConnectLog /var/log/sslproxy/connect.log
|
|
#ContentLog /var/log/sslproxy/content.log
|
|
#ContentLogDir /var/log/sslproxy/content
|
|
#ContentLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.log
|
|
#LogProcInfo yes
|
|
#PcapLog /var/log/sslproxy/content.pcap
|
|
#PcapLogDir /var/log/sslproxy/pcap
|
|
#PcapLogPathSpec /var/log/sslproxy/%X/%u-%s-%d-%T.pcap
|
|
#MirrorIf lo
|
|
#MirrorTarget 192.0.2.1
|
|
#MasterKeyLog /var/log/sslproxy/masterkeys.log
|
|
LogStats yes
|
|
StatsPeriod 1
|
|
ConnIdleTimeout 120
|
|
ExpiredConnCheckPeriod 10
|
|
UserDBPath users.db
|
|
|
|
# Default ProxySpec options (cloned to each proxyspec)
|
|
CACert ca.crt
|
|
CAKey ca.key
|
|
#ClientCert /etc/sslproxy/client.crt
|
|
#ClientKey /etc/sslproxy/client.key
|
|
#CAChain /etc/sslproxy/chain.crt
|
|
#LeafCRLURL http://example.com/example.crl
|
|
#DenyOCSP yes
|
|
#Passthrough yes
|
|
#DHGroupParams /etc/sslproxy/dh.pem
|
|
#ECDHCurve prime256v1
|
|
#SSLCompression no
|
|
#ForceSSLProto tls12
|
|
#DisableSSLProto tls10
|
|
#EnableSSLProto tls10
|
|
#MinSSLProto tls10
|
|
#MaxSSLProto tls13
|
|
#Ciphers MEDIUM:HIGH
|
|
#CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
|
|
#NATEngine netfilter
|
|
#RemoveHTTPAcceptEncoding no
|
|
#RemoveHTTPReferer yes
|
|
VerifyPeer no
|
|
#AllowWrongHost no
|
|
#UserAuth no
|
|
#UserTimeout 300
|
|
#UserAuthURL https://192.168.0.1/userdblogin.php
|
|
#ValidateProto no
|
|
#MaxHTTPHeaderSize 8192
|
|
#PassSite example.com
|
|
#PassSite example.com 192.168.0.1
|
|
#PassSite example.com soner
|
|
#PassSite *.google.com * android
|
|
#Divert yes
|
|
|
|
# Tests for tcp connection over ssl proxyspec
|
|
ProxySpec https 127.0.0.1 8441 up:8080 127.0.0.1 9441
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8442
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9442
|
|
ValidateProto yes
|
|
}
|
|
|
|
# Tests for ssl connection on tcp proxyspec
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8183
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9183
|
|
ValidateProto yes
|
|
}
|
|
|
|
# Tests for HTTP GET method validation
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8184
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9184
|
|
ValidateProto yes
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8444
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9444
|
|
ValidateProto yes
|
|
}
|
|
|
|
# Tests for HTTP POST method validation
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8185
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9185
|
|
ValidateProto yes
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8445
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9445
|
|
ValidateProto yes
|
|
}
|
|
|
|
# Tests for SSL configuration
|
|
ProxySpec https 127.0.0.1 8443 up:8080 127.0.0.1 9443
|
|
# Tests for SSL configuration: tls10 only
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8449
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9449
|
|
ForceSSLProto tls10
|
|
}
|
|
# Tests for SSL configuration: tls11 only
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8450
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9450
|
|
ForceSSLProto tls11
|
|
}
|
|
# Tests for SSL configuration: tls12 only
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8451
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9451
|
|
ForceSSLProto tls12
|
|
}
|
|
# Tests for SSL configuration: tls13 only
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8462
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9462
|
|
ForceSSLProto tls13
|
|
CipherSuites TLS_CHACHA20_POLY1305_SHA256
|
|
}
|
|
# Tests for SSL configuration: Rejects unsupported SSL/TLS proto
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8452
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9452
|
|
ForceSSLProto tls10
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8453
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9453
|
|
ForceSSLProto tls12
|
|
}
|
|
|
|
# Tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer
|
|
ProxySpec http 127.0.0.1 8180 up:8080 127.0.0.1 9180
|
|
ProxySpec https 127.0.0.1 8446 up:8080 127.0.0.1 9446
|
|
|
|
# Tests for HTTP response headers: Public-Key-Pins, Public-Key-Pins-Report-Only, Strict-Transport-Security, Expect-CT, Alternate-Protocol, Upgrade, OCSP request
|
|
ProxySpec http 127.0.0.1 8181 up:8080 127.0.0.1 9181
|
|
ProxySpec https 127.0.0.1 8447 up:8080 127.0.0.1 9447
|
|
|
|
# Tests for HTTP response headers: Deny OCSP request, remove Accept-Encoding, and do not remove Referer
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8186
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9186
|
|
DenyOCSP yes
|
|
RemoveHTTPAcceptEncoding yes
|
|
RemoveHTTPReferer no
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8448
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9448
|
|
DenyOCSP yes
|
|
RemoveHTTPAcceptEncoding yes
|
|
RemoveHTTPReferer no
|
|
}
|
|
|
|
# Tests for Passthrough
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8454
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9454
|
|
Passthrough yes
|
|
VerifyPeer yes
|
|
}
|
|
|
|
# Tests for VerifyPeer
|
|
ProxySpec https 127.0.0.1 8455 up:8080 127.0.0.1 9455
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8456
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9456
|
|
VerifyPeer yes
|
|
}
|
|
|
|
# Tests for CACert/CAKey
|
|
ProxySpec https 127.0.0.1 8457 up:8080 127.0.0.1 9457
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8458
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9458
|
|
CACert ca2.crt
|
|
CAKey ca2.key
|
|
}
|
|
|
|
# Tests for UserAuth
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8187
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9187
|
|
UserAuth yes
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8459
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9459
|
|
UserAuth yes
|
|
}
|
|
|
|
# Tests for POP3
|
|
ProxySpec {
|
|
Proto pop3
|
|
Addr 127.0.0.1
|
|
Port 8188
|
|
DivertPort 8110
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9188
|
|
ValidateProto yes
|
|
}
|
|
ProxySpec {
|
|
Proto pop3s
|
|
Addr 127.0.0.1
|
|
Port 8460
|
|
DivertPort 8110
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9460
|
|
ValidateProto yes
|
|
}
|
|
|
|
# Tests for SMTP
|
|
ProxySpec {
|
|
Proto smtp
|
|
Addr 127.0.0.1
|
|
Port 8189
|
|
DivertPort 9199
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9189
|
|
ValidateProto yes
|
|
}
|
|
ProxySpec {
|
|
Proto smtps
|
|
Addr 127.0.0.1
|
|
Port 8461
|
|
DivertPort 9199
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9461
|
|
ValidateProto yes
|
|
}
|
|
|
|
# SSLsplit mode tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer
|
|
ProxySpec http 127.0.0.1 8190 127.0.0.1 9190
|
|
ProxySpec https 127.0.0.1 8463 127.0.0.1 9463
|
|
|
|
# Tests for Divert filtering rules
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8191
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9191
|
|
Divert no
|
|
|
|
# Unrelated rules should not have any effect
|
|
Block from ip 127.0.0.0
|
|
Block from ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.0
|
|
Block from ip 127.0.0.1 to ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9190
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9190 log connect
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Block *
|
|
Pass *
|
|
Split *
|
|
|
|
Match from *
|
|
Block from *
|
|
Pass from *
|
|
Split from *
|
|
|
|
Match from ip *
|
|
Block from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Block from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip *
|
|
Block from ip 127.0.0.1 to ip *
|
|
Pass from ip 127.0.0.1 to ip *
|
|
Split from ip 127.0.0.1 to ip *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9191
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9191
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1 port 9191
|
|
|
|
# The most specific and the highest precedence action
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1 port 9191
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8192
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9192
|
|
Divert no
|
|
|
|
# Unrelated rules should not have any effect
|
|
Block from ip 127.0.0.0
|
|
Block from ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.0
|
|
Block from ip 127.0.0.1 to ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9191 log connect
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Block *
|
|
Pass *
|
|
Split *
|
|
|
|
Match from *
|
|
Block from *
|
|
Pass from *
|
|
Split from *
|
|
|
|
Match from ip *
|
|
Block from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Block from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip *
|
|
Block from ip 127.0.0.1 to ip *
|
|
Pass from ip 127.0.0.1 to ip *
|
|
Split from ip 127.0.0.1 to ip *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9192
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9192
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1 port 9192
|
|
|
|
# The most specific and the highest precedence action
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1 port 9192
|
|
}
|
|
|
|
# Tests for Split filtering rules
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8193
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9193
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Block from ip 127.0.0.0
|
|
Block from ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.0
|
|
Block from ip 127.0.0.1 to ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9192 log connect
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Block *
|
|
Pass *
|
|
Divert *
|
|
|
|
Match from *
|
|
Block from *
|
|
Pass from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Block from ip *
|
|
Pass from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Block from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip *
|
|
Block from ip 127.0.0.1 to ip *
|
|
Pass from ip 127.0.0.1 to ip *
|
|
Divert from ip 127.0.0.1 to ip *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9193
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9193
|
|
# No Divert, because Divert's precedence is higher than Split's
|
|
|
|
# The most specific and the highest precedence action
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1 port 9193
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8194
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9194
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Block from ip 127.0.0.0
|
|
Block from ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.0
|
|
Block from ip 127.0.0.1 to ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9193 log connect
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Block *
|
|
Pass *
|
|
Divert *
|
|
|
|
Match from *
|
|
Block from *
|
|
Pass from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Block from ip *
|
|
Pass from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Block from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip *
|
|
Block from ip 127.0.0.1 to ip *
|
|
Pass from ip 127.0.0.1 to ip *
|
|
Divert from ip 127.0.0.1 to ip *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9194
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9194
|
|
# No Divert, because Divert's precedence is higher than Split's
|
|
|
|
# The most specific and the highest precedence action
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1 port 9194
|
|
}
|
|
|
|
# Tests for Pass filtering rules
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8195
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9195
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Block from ip 127.0.0.0
|
|
Block from ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.0
|
|
Block from ip 127.0.0.1 to ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9194 log connect
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Block *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Block from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Block from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Block from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip *
|
|
Block from ip 127.0.0.1 to ip *
|
|
Split from ip 127.0.0.1 to ip *
|
|
Divert from ip 127.0.0.1 to ip *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9195
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
|
|
# No Divert or Split, because their precedence is higher than Pass's
|
|
|
|
# The most specific and the highest precedence action
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9195
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8196
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9196
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Block from ip 127.0.0.0
|
|
Block from ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.0
|
|
Block from ip 127.0.0.1 to ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9195 log connect
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Block *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Block from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Block from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Block from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip *
|
|
Block from ip 127.0.0.1 to ip *
|
|
Split from ip 127.0.0.1 to ip *
|
|
Divert from ip 127.0.0.1 to ip *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9196
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9196
|
|
# No Divert or Split, because their precedence is higher than Pass's
|
|
|
|
# The most specific and the highest precedence action
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196
|
|
}
|
|
|
|
# Tests for Block filtering rules
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8197
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9197
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Pass from ip 127.0.0.0
|
|
Pass from ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.0
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9198
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9196 log connect
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9198 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Pass *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Pass from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip *
|
|
Pass from ip 127.0.0.1 to ip *
|
|
Split from ip 127.0.0.1 to ip *
|
|
Divert from ip 127.0.0.1 to ip *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9197
|
|
# No Divert, Split, or Pass, because their precedence is higher than Block's
|
|
|
|
# The most specific and the highest precedence action
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9197
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8198
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9198
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Pass from ip 127.0.0.0
|
|
Pass from ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.0
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9197
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9199
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9197 log connect
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port 9199 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Pass *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Pass from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip *
|
|
Pass from ip 127.0.0.1 to ip *
|
|
Split from ip 127.0.0.1 to ip *
|
|
Divert from ip 127.0.0.1 to ip *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Split from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
Divert from ip 127.0.0.1 to ip 127.0.0.1 port *
|
|
|
|
Match from ip 127.0.0.1 to ip 127.0.0.1 port 9198
|
|
# No Divert, Split, or Pass, because their precedence is higher than Block's
|
|
|
|
# The most specific and the highest precedence action
|
|
Block from ip 127.0.0.1 to ip 127.0.0.1 port 9198
|
|
}
|
|
|
|
# Tests for SNI filtering rules
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8200
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9200
|
|
Divert no
|
|
|
|
# Unrelated rules should not have any effect
|
|
Block from ip 127.0.0.0
|
|
Block from ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.0
|
|
Block from ip 127.0.0.1 to ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to sni comixwall.org port 9199
|
|
Block from ip 127.0.0.1 to sni comixwall.org port 9201
|
|
Block from ip 127.0.0.1 to sni comixwall.org port 9199 log connect
|
|
Block from ip 127.0.0.1 to sni comixwall.org port 9201 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Block *
|
|
Pass *
|
|
Split *
|
|
|
|
Match from *
|
|
Block from *
|
|
Pass from *
|
|
Split from *
|
|
|
|
Match from ip *
|
|
Block from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Block from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip *
|
|
Block from ip 127.0.0.1 to ip *
|
|
Pass from ip 127.0.0.1 to ip *
|
|
Split from ip 127.0.0.1 to ip *
|
|
|
|
Match from ip 127.0.0.1 to sni comixwall.org
|
|
Block from ip 127.0.0.1 to sni comixwall.org
|
|
Pass from ip 127.0.0.1 to sni comixwall.org
|
|
Split from ip 127.0.0.1 to sni comixwall.org
|
|
|
|
Match from ip 127.0.0.1 to sni comixwall.org port *
|
|
Block from ip 127.0.0.1 to sni comixwall.org port *
|
|
Pass from ip 127.0.0.1 to sni comixwall.org port *
|
|
Split from ip 127.0.0.1 to sni comixwall.org port *
|
|
|
|
Match from ip 127.0.0.1 to sni comixwall.org port 9200
|
|
Block from ip 127.0.0.1 to sni comixwall.org port 9200
|
|
Pass from ip 127.0.0.1 to sni comixwall.org port 9200
|
|
Split from ip 127.0.0.1 to sni comixwall.org port 9200
|
|
|
|
# The most specific and the highest precedence action
|
|
Divert from ip 127.0.0.1 to sni comixwall.org port 9200
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8201
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9201
|
|
Divert no
|
|
|
|
# Unrelated rules should not have any effect
|
|
Block from ip 127.0.0.0
|
|
Block from ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.0
|
|
Block from ip 127.0.0.1 to ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to sni comixwall.org port 9200
|
|
Block from ip 127.0.0.1 to sni comixwall.org port 9202
|
|
Block from ip 127.0.0.1 to sni comixwall.org port 9200 log connect
|
|
Block from ip 127.0.0.1 to sni comixwall.org port 9202 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Block *
|
|
Pass *
|
|
Split *
|
|
|
|
Match from *
|
|
Block from *
|
|
Pass from *
|
|
Split from *
|
|
|
|
Match from ip *
|
|
Block from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Block from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to ip *
|
|
Block from ip 127.0.0.1 to ip *
|
|
Pass from ip 127.0.0.1 to ip *
|
|
Split from ip 127.0.0.1 to ip *
|
|
|
|
Match from ip 127.0.0.1 to sni comixwall.org
|
|
Block from ip 127.0.0.1 to sni comixwall.org
|
|
Pass from ip 127.0.0.1 to sni comixwall.org
|
|
Split from ip 127.0.0.1 to sni comixwall.org
|
|
|
|
Match from ip 127.0.0.1 to sni comixwall.org port *
|
|
Block from ip 127.0.0.1 to sni comixwall.org port *
|
|
Pass from ip 127.0.0.1 to sni comixwall.org port *
|
|
Split from ip 127.0.0.1 to sni comixwall.org port *
|
|
|
|
Match from ip 127.0.0.1 to sni comixwall.org port 9201
|
|
Block from ip 127.0.0.1 to sni comixwall.org port 9201
|
|
Pass from ip 127.0.0.1 to sni comixwall.org port 9201
|
|
Split from ip 127.0.0.1 to sni comixwall.org port 9201
|
|
|
|
# The most specific and the highest precedence action
|
|
Divert from ip 127.0.0.1 to sni comixwall.org port 9201
|
|
}
|
|
|
|
# Tests for Common Names filtering rules
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8202
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9202
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Block from ip 127.0.0.0
|
|
Block from ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.0
|
|
Block from ip 127.0.0.1 to ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to cn comixwall.org port 9201
|
|
Block from ip 127.0.0.1 to cn comixwall.org port 9203
|
|
Block from ip 127.0.0.1 to cn comixwall.org port 9201 log connect
|
|
Block from ip 127.0.0.1 to cn comixwall.org port 9203 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Block *
|
|
Pass *
|
|
Split *
|
|
|
|
Match from *
|
|
Block from *
|
|
Pass from *
|
|
Split from *
|
|
|
|
Match from ip *
|
|
Block from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Block from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to cn *
|
|
Block from ip 127.0.0.1 to cn *
|
|
Pass from ip 127.0.0.1 to cn *
|
|
Split from ip 127.0.0.1 to cn *
|
|
|
|
Match from ip 127.0.0.1 to cn comixwall.org
|
|
Block from ip 127.0.0.1 to cn comixwall.org
|
|
Pass from ip 127.0.0.1 to cn comixwall.org
|
|
Split from ip 127.0.0.1 to cn comixwall.org
|
|
|
|
Match from ip 127.0.0.1 to cn comixwall.org port *
|
|
Block from ip 127.0.0.1 to cn comixwall.org port *
|
|
Pass from ip 127.0.0.1 to cn comixwall.org port *
|
|
Split from ip 127.0.0.1 to cn comixwall.org port *
|
|
|
|
Match from ip 127.0.0.1 to cn comixwall.org port 9202
|
|
Block from ip 127.0.0.1 to cn comixwall.org port 9202
|
|
|
|
# The most specific and the highest precedence action
|
|
# log action increases precedence, but cannot override filter action,
|
|
# so no Split or Divert filter actions, with or without log action
|
|
Pass from ip 127.0.0.1 to cn comixwall.org port 9202 log connect
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8203
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9203
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Block from ip 127.0.0.0
|
|
Block from ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to ip 127.0.0.0
|
|
Block from ip 127.0.0.1 to ip 127.0.0.2
|
|
Block from ip 127.0.0.1 to cn comixwall.org port 9202
|
|
Block from ip 127.0.0.1 to cn comixwall.org port 9204
|
|
Block from ip 127.0.0.1 to cn comixwall.org port 9202 log connect
|
|
Block from ip 127.0.0.1 to cn comixwall.org port 9204 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Block *
|
|
Pass *
|
|
Split *
|
|
|
|
Match from *
|
|
Block from *
|
|
Pass from *
|
|
Split from *
|
|
|
|
Match from ip *
|
|
Block from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Block from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to cn *
|
|
Block from ip 127.0.0.1 to cn *
|
|
Pass from ip 127.0.0.1 to cn *
|
|
Split from ip 127.0.0.1 to cn *
|
|
|
|
Match from ip 127.0.0.1 to cn comixwall.org
|
|
Block from ip 127.0.0.1 to cn comixwall.org
|
|
Pass from ip 127.0.0.1 to cn comixwall.org
|
|
Split from ip 127.0.0.1 to cn comixwall.org
|
|
|
|
Match from ip 127.0.0.1 to cn comixwall.org port *
|
|
Block from ip 127.0.0.1 to cn comixwall.org port *
|
|
Pass from ip 127.0.0.1 to cn comixwall.org port *
|
|
Split from ip 127.0.0.1 to cn comixwall.org port *
|
|
|
|
Match from ip 127.0.0.1 to cn comixwall.org port 9203
|
|
Block from ip 127.0.0.1 to cn comixwall.org port 9203
|
|
Pass from ip 127.0.0.1 to cn comixwall.org port 9203
|
|
Split from ip 127.0.0.1 to cn comixwall.org port 9203
|
|
# The second most specific rule, correct CN
|
|
Divert from ip 127.0.0.1 to cn comixwall.org port 9203
|
|
|
|
# The most specific and the highest precedence action, wrong CN
|
|
Pass from ip 127.0.0.1 to cn comixwall2.org port 9203 log connect
|
|
}
|
|
|
|
# Tests for Host filtering rules
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8204
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9204
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Pass from ip 127.0.0.0
|
|
Pass from ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.0
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to host example.com port 8203
|
|
Pass from ip 127.0.0.1 to host example.com port 9205
|
|
Pass from ip 127.0.0.1 to host example.com port 8203 log connect
|
|
Pass from ip 127.0.0.1 to host example.com port 9205 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Pass *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Pass from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to host *
|
|
Pass from ip 127.0.0.1 to host *
|
|
Split from ip 127.0.0.1 to host *
|
|
Divert from ip 127.0.0.1 to host *
|
|
|
|
Match from ip 127.0.0.1 to host example.com
|
|
Pass from ip 127.0.0.1 to host example.com
|
|
Split from ip 127.0.0.1 to host example.com
|
|
Divert from ip 127.0.0.1 to host example.com
|
|
|
|
Match from ip 127.0.0.1 to host example.com port *
|
|
Pass from ip 127.0.0.1 to host example.com port *
|
|
Split from ip 127.0.0.1 to host example.com port *
|
|
Divert from ip 127.0.0.1 to host example.com port *
|
|
|
|
Match from ip 127.0.0.1 to host example.com port 9204
|
|
# No Divert, Split, or Pass, because their precedence is higher than Block's
|
|
|
|
# The most specific and the highest precedence action
|
|
Block from ip 127.0.0.1 to host example.com port 9204
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8205
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9205
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Pass from ip 127.0.0.0
|
|
Pass from ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.0
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to host example.com port 8204
|
|
Pass from ip 127.0.0.1 to host example.com port 9206
|
|
Pass from ip 127.0.0.1 to host example.com port 8204 log connect
|
|
Pass from ip 127.0.0.1 to host example.com port 9206 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Pass *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Pass from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to host *
|
|
Pass from ip 127.0.0.1 to host *
|
|
Split from ip 127.0.0.1 to host *
|
|
Divert from ip 127.0.0.1 to host *
|
|
|
|
Match from ip 127.0.0.1 to host example.com
|
|
Pass from ip 127.0.0.1 to host example.com
|
|
Split from ip 127.0.0.1 to host example.com
|
|
Divert from ip 127.0.0.1 to host example.com
|
|
|
|
Match from ip 127.0.0.1 to host example.com port *
|
|
Pass from ip 127.0.0.1 to host example.com port *
|
|
Split from ip 127.0.0.1 to host example.com port *
|
|
Divert from ip 127.0.0.1 to host example.com port *
|
|
|
|
Match from ip 127.0.0.1 to host example.com port 9205
|
|
# No Divert, Split, or Pass, because their precedence is higher than Block's
|
|
|
|
# The most specific and the highest precedence action
|
|
Block from ip 127.0.0.1 to host example.com port 9205
|
|
}
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8206
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9206
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Pass from ip 127.0.0.0
|
|
Pass from ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.0
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to host example.com port 8205
|
|
Pass from ip 127.0.0.1 to host example.com port 9207
|
|
Pass from ip 127.0.0.1 to host example.com port 8205 log connect
|
|
Pass from ip 127.0.0.1 to host example.com port 9207 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Pass *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Pass from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to host *
|
|
Pass from ip 127.0.0.1 to host *
|
|
Split from ip 127.0.0.1 to host *
|
|
Divert from ip 127.0.0.1 to host *
|
|
|
|
Match from ip 127.0.0.1 to host example.com
|
|
Pass from ip 127.0.0.1 to host example.com
|
|
Split from ip 127.0.0.1 to host example.com
|
|
Divert from ip 127.0.0.1 to host example.com
|
|
|
|
Match from ip 127.0.0.1 to host example.com port *
|
|
Pass from ip 127.0.0.1 to host example.com port *
|
|
Split from ip 127.0.0.1 to host example.com port *
|
|
Divert from ip 127.0.0.1 to host example.com port *
|
|
|
|
Match from ip 127.0.0.1 to host example.com port 9206
|
|
# No Divert, Split, or Pass, because their precedence is higher than Block's
|
|
|
|
# The most specific and the highest precedence action
|
|
Block from ip 127.0.0.1 to host example.com port 9206
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8207
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9207
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Pass from ip 127.0.0.0
|
|
Pass from ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.0
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to host example.com port 8206
|
|
Pass from ip 127.0.0.1 to host example.com port 9208
|
|
Pass from ip 127.0.0.1 to host example.com port 8206 log connect
|
|
Pass from ip 127.0.0.1 to host example.com port 9208 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Pass *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Pass from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to host *
|
|
Pass from ip 127.0.0.1 to host *
|
|
Split from ip 127.0.0.1 to host *
|
|
Divert from ip 127.0.0.1 to host *
|
|
|
|
Match from ip 127.0.0.1 to host example.com
|
|
Pass from ip 127.0.0.1 to host example.com
|
|
Split from ip 127.0.0.1 to host example.com
|
|
Divert from ip 127.0.0.1 to host example.com
|
|
|
|
Match from ip 127.0.0.1 to host example.com port *
|
|
Pass from ip 127.0.0.1 to host example.com port *
|
|
Split from ip 127.0.0.1 to host example.com port *
|
|
Divert from ip 127.0.0.1 to host example.com port *
|
|
|
|
Match from ip 127.0.0.1 to host example.com port 9207
|
|
# No Divert, Split, or Pass, because their precedence is higher than Block's
|
|
|
|
# The most specific and the highest precedence action
|
|
Block from ip 127.0.0.1 to host example.com port 9207
|
|
}
|
|
|
|
# Tests for URI filtering rules
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8208
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9208
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Pass from ip 127.0.0.0
|
|
Pass from ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.0
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8207
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8207 log connect
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Pass *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Pass from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to uri *
|
|
Pass from ip 127.0.0.1 to uri *
|
|
Split from ip 127.0.0.1 to uri *
|
|
Divert from ip 127.0.0.1 to uri *
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9208
|
|
# No Divert, Split, or Pass, because their precedence is higher than Block's
|
|
|
|
# The most specific and the highest precedence action
|
|
Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9208
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8209
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9209
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Pass from ip 127.0.0.0
|
|
Pass from ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.0
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8208
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8208 log connect
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Pass *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Pass from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to uri *
|
|
Pass from ip 127.0.0.1 to uri *
|
|
Split from ip 127.0.0.1 to uri *
|
|
Divert from ip 127.0.0.1 to uri *
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209
|
|
# No Divert, Split, or Pass, because their precedence is higher than Block's
|
|
|
|
# The most specific and the highest precedence action
|
|
Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9209
|
|
}
|
|
ProxySpec {
|
|
Proto http
|
|
Addr 127.0.0.1
|
|
Port 8210
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9210
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Pass from ip 127.0.0.0
|
|
Pass from ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.0
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8209
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8209 log connect
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Pass *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Pass from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to uri *
|
|
Pass from ip 127.0.0.1 to uri *
|
|
Split from ip 127.0.0.1 to uri *
|
|
Divert from ip 127.0.0.1 to uri *
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210
|
|
# No Divert, Split, or Pass, because their precedence is higher than Block's
|
|
|
|
# The most specific and the highest precedence action
|
|
Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9210
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8211
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9211
|
|
Divert yes
|
|
|
|
# Unrelated rules should not have any effect
|
|
Pass from ip 127.0.0.0
|
|
Pass from ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.0
|
|
Pass from ip 127.0.0.1 to ip 127.0.0.2
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8210
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9212
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 8210 log connect
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9212 log connect
|
|
|
|
# Lower precedence actions should not change filter action
|
|
# Less specific rules should not change filter action
|
|
Match *
|
|
Pass *
|
|
Split *
|
|
Divert *
|
|
|
|
Match from *
|
|
Pass from *
|
|
Split from *
|
|
Divert from *
|
|
|
|
Match from ip *
|
|
Pass from ip *
|
|
Split from ip *
|
|
Divert from ip *
|
|
|
|
Match from ip 127.0.0.1
|
|
Pass from ip 127.0.0.1
|
|
Split from ip 127.0.0.1
|
|
Divert from ip 127.0.0.1
|
|
|
|
Match from ip 127.0.0.1 to uri *
|
|
Pass from ip 127.0.0.1 to uri *
|
|
Split from ip 127.0.0.1 to uri *
|
|
Divert from ip 127.0.0.1 to uri *
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Pass from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Split from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
Divert from ip 127.0.0.1 to uri /utmfw/View/system/index.php port *
|
|
|
|
Match from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211
|
|
# No Divert, Split, or Pass, because their precedence is higher than Block's
|
|
|
|
# The most specific and the highest precedence action
|
|
Block from ip 127.0.0.1 to uri /utmfw/View/system/index.php port 9211
|
|
}
|
|
|
|
# Tests for structured filtering rules
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8212
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9212
|
|
Divert yes
|
|
|
|
# FilterRule below should override these options
|
|
DenyOCSP no
|
|
Passthrough yes
|
|
CACert ca2.crt
|
|
CAKey ca2.key
|
|
#ClientCert /etc/sslproxy/client.crt
|
|
#ClientKey /etc/sslproxy/client.key
|
|
#CAChain /etc/sslproxy/chain.crt
|
|
#LeafCRLURL http://example.com/example.crl
|
|
#DHGroupParams /etc/sslproxy/dh.pem
|
|
#ECDHCurve prime256v1
|
|
SSLCompression yes
|
|
ForceSSLProto tls12
|
|
DisableSSLProto tls13
|
|
MinSSLProto tls11
|
|
MaxSSLProto tls12
|
|
Ciphers LOW
|
|
CipherSuites TLS_AES_128_CCM_SHA256
|
|
RemoveHTTPAcceptEncoding no
|
|
RemoveHTTPReferer no
|
|
VerifyPeer yes
|
|
AllowWrongHost yes
|
|
UserAuth yes
|
|
#UserTimeout 300
|
|
#UserAuthURL https://192.168.0.1/userdblogin.php
|
|
ValidateProto no
|
|
MaxHTTPHeaderSize 2048
|
|
|
|
FilterRule {
|
|
Action Match
|
|
SrcIp 127.0.0.1
|
|
DstIp 127.0.0.1
|
|
DstPort 9212
|
|
Log connect
|
|
|
|
DenyOCSP yes
|
|
Passthrough no
|
|
CACert ca.crt
|
|
CAKey ca.key
|
|
#ClientCert /etc/sslproxy/client.crt
|
|
#ClientKey /etc/sslproxy/client.key
|
|
#CAChain /etc/sslproxy/chain.crt
|
|
#LeafCRLURL http://example.com/example.crl
|
|
#DHGroupParams /etc/sslproxy/dh.pem
|
|
ECDHCurve prime256v1
|
|
SSLCompression no
|
|
ForceSSLProto tls13
|
|
EnableSSLProto tls13
|
|
MinSSLProto tls10
|
|
MaxSSLProto tls13
|
|
Ciphers MEDIUM:HIGH
|
|
CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
|
|
RemoveHTTPAcceptEncoding yes
|
|
RemoveHTTPReferer yes
|
|
VerifyPeer no
|
|
AllowWrongHost no
|
|
UserAuth no
|
|
#UserTimeout 300
|
|
#UserAuthURL https://192.168.0.1/userdblogin.php
|
|
ValidateProto yes
|
|
MaxHTTPHeaderSize 8192
|
|
}
|
|
}
|
|
ProxySpec {
|
|
Proto https
|
|
Addr 127.0.0.1
|
|
Port 8213
|
|
DivertPort 8080
|
|
TargetAddr 127.0.0.1
|
|
TargetPort 9213
|
|
Divert yes
|
|
|
|
# FilterRule below should override these options
|
|
DenyOCSP no
|
|
Passthrough yes
|
|
CACert ca2.crt
|
|
CAKey ca2.key
|
|
#ClientCert /etc/sslproxy/client.crt
|
|
#ClientKey /etc/sslproxy/client.key
|
|
#CAChain /etc/sslproxy/chain.crt
|
|
#LeafCRLURL http://example.com/example.crl
|
|
#DHGroupParams /etc/sslproxy/dh.pem
|
|
#ECDHCurve prime256v1
|
|
SSLCompression yes
|
|
ForceSSLProto tls12
|
|
DisableSSLProto tls13
|
|
MinSSLProto tls11
|
|
MaxSSLProto tls12
|
|
Ciphers MEDIUM:HIGH
|
|
CipherSuites TLS_AES_128_CCM_SHA256
|
|
RemoveHTTPAcceptEncoding no
|
|
RemoveHTTPReferer no
|
|
#VerifyPeer yes
|
|
AllowWrongHost yes
|
|
#UserAuth yes
|
|
#UserTimeout 300
|
|
#UserAuthURL https://192.168.0.1/userdblogin.php
|
|
ValidateProto no
|
|
MaxHTTPHeaderSize 2048
|
|
|
|
FilterRule {
|
|
Action Match
|
|
SrcIp 127.0.0.1
|
|
CN comixwall.org
|
|
DstPort 9213
|
|
Log connect
|
|
|
|
# Reconnect srvdst to apply the SSL config in this rule
|
|
ReconnectSSL yes
|
|
|
|
DenyOCSP yes
|
|
Passthrough no
|
|
CACert ca.crt
|
|
CAKey ca.key
|
|
#ClientCert /etc/sslproxy/client.crt
|
|
#ClientKey /etc/sslproxy/client.key
|
|
#CAChain /etc/sslproxy/chain.crt
|
|
#LeafCRLURL http://example.com/example.crl
|
|
#DHGroupParams /etc/sslproxy/dh.pem
|
|
ECDHCurve prime256v1
|
|
SSLCompression no
|
|
ForceSSLProto tls13
|
|
EnableSSLProto tls13
|
|
MinSSLProto tls10
|
|
MaxSSLProto tls13
|
|
Ciphers MEDIUM:HIGH
|
|
CipherSuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
|
|
RemoveHTTPAcceptEncoding yes
|
|
RemoveHTTPReferer yes
|
|
VerifyPeer no
|
|
AllowWrongHost no
|
|
UserAuth no
|
|
#UserTimeout 300
|
|
#UserAuthURL https://192.168.0.1/userdblogin.php
|
|
ValidateProto yes
|
|
MaxHTTPHeaderSize 8192
|
|
}
|
|
}
|
|
|
|
# Autossl tests for HTTP request headers: SSLproxy, Connection, Upgrade, Keep-Alive, Accept-Encoding, Via, X-Forwarded-For, and Referer
|
|
ProxySpec autossl 127.0.0.1 8214 up:8080 127.0.0.1 9214
|
|
ProxySpec autossl 127.0.0.1 8215 127.0.0.1 9215
|