Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
sslproxy.conf(5)		   SSLproxy		      sslproxy.conf(5)

NAME
       sslproxy.conf - Configuration file for SSLproxy

DESCRIPTION
       The file	sslproxy.conf configures SSLproxy, sslproxy(1).

FILE FORMAT
       The  file  consists  of	comments and options with arguments. Each line
       which starts with a hash	(#) symbol is ignored by the  parser.  Options
       and arguments are of the	form Option Argument.

       Structured  proxyspecs  are  defined  between curly braces. The opening
       curly brace should be on	the same line as the  ProxySpec	 keyword.  The
       closing	curly  brace  and option-argument pairs	should be on a line of
       their own.

       The arguments are of the	following types:

       BOOL   Boolean value (yes/no).

       STRING String.

       NUMBER Unsigned integer.

DIRECTIVES
       When an option is not used (hashed or doesn't exist in  the  configura-
       tion  file)  sslproxy  takes  a default action. If an option is defined
       outside any structured proxyspec, then it is used as a global  default.
       If an option does not have a command line equivalent, -o	opt=val	option
       can be used to override it on the command line.

       CACert STRING
	      Use CA cert (and key) to sign forged  certs.  Equivalent	to  -c
	      command line option.

       CAKey STRING
	      Use  CA  key  (and  cert)	to sign	forged certs. Equivalent to -k
	      command line option.

       ClientCert STRING
	      Use cert from pemfile when destination  requests	client	certs.
	      Equivalent to -a command line option.

       ClientKey STRING
	      Use  key	from  pemfile  when destination	requests client	certs.
	      Equivalent to -b command line option.

       CAChain STRING
	      Use CA chain from	pemfile	 (intermediate	and  root  CA  certs).
	      Equivalent to -C command line option.

       LeafCerts STRING
	      Use  key	from  pemfile for leaf certs. Equivalent to -K command
	      line option.
	      Default: generate

       CRL STRING
	      Use URL as CRL distribution point	for all	forged certs.  Equiva-
	      lent to -q command line option.

       TargetCertDir STRING
	      Use  cert+chain+key  PEM	files from certdir to target all sites
	      matching the common names	(non-matching: generate	if CA).	Equiv-
	      alent to -t command line option.

       WriteGenCertsDir	STRING
	      Write leaf key and only generated	certificates to	gendir.	Equiv-
	      alent to -w command line option.

       WriteAllCertsDir	STRING
	      Write leaf key and all certificates to gendir. Equivalent	to  -W
	      command line option.

       DenyOCSP	BOOL
	      Deny  all	OCSP requests on all proxyspecs. Equivalent to -O com-
	      mand line	option.

       Passthrough BOOL
	      Passthrough SSL connections if they cannot be split  because  of
	      client cert auth or no matching cert and no CA. Equivalent to -P
	      command line option.
	      Default: drop

       PassSite	STRING
	      Passthrough site:	site [(clientaddr|(user|*)  [description  key-
	      word])]. If the site matches SNI or common names in the SSL cer-
	      tificate,	the connection is passed through the proxy.  Per  site
	      filters can be defined using client IP addresses,	users, and de-
	      scription	keywords. '*' matches all users. User auth  should  be
	      enabled  for  user  and  description  keyword filtering to work.
	      Case is ignored while matching  description  keywords.  Multiple
	      sites are	allowed, one on	each line.

       DHGroupParams STRING
	      Use  DH group params from	pemfile. Equivalent to -g command line
	      option.
	      Default: keyfiles	or auto

       ECDHCurve STRING
	      Use ECDH named curve. Equivalent to -G command line option.
	      Default: prime256v1

       SSLCompression BOOL
	      Enable/disable SSL/TLS compression on all	 connections.  Equiva-
	      lent to -Z command line option.

       ForceSSLProto STRING
	      Force  SSL/TLS  protocol	version	only. Equivalent to -r command
	      line option.
	      Default: all

       DisableSSLProto STRING
	      Disable SSL/TLS protocol version.	Equivalent to -R command  line
	      option.
	      Default: none

       Ciphers STRING
	      Use  the	given OpenSSL cipher suite spec. Equivalent to -s com-
	      mand line	option.
	      Default: ALL:-aNULL

       LeafKeyRSABits NUMBER
	      Leaf key RSA keysize in bits, use	1024|2048|3072|4096.
	      Default: 2048

       OpenSSLEngine STRING
	      The OpenSSL engine to activate.  Equivalent to -x	 command  line
	      option.

       NATEngine STRING
	      Specify default NAT engine to use. Equivalent to -e command line
	      option.

       User STRING
	      Drop privileges to user. Equivalent to -u	command	line option.
	      Default: nobody, if run as root

       Group STRING
	      Drop privileges to group.	Equivalent to -m command line option.
	      Default: Primary group of	user

       Chroot STRING
	      chroot() to jaildir (impacts sni proxyspecs,  see	 sslproxy(1)).
	      Equivalent to -j command line option.

       PidFile STRING
	      Write pid	to file. Equivalent to -p command line option.

       ConnectLog STRING
	      Connect  log:  log  one  line summary per	connection to logfile.
	      Equivalent to -l command line option.

       ContentLog STRING
	      Content log: full	data to	file or	named pipe (excludes  Content-
	      LogDir/ContentLogPathSpec).  Equivalent  to  -L command line op-
	      tion.

       ContentLogDir STRING
	      Content log: full	data to	separate files in dir  (excludes  Con-
	      tentLog/ContentLogPathSpec).  Equivalent	to -S command line op-
	      tion.

       ContentLogPathSpec STRING
	      Content log: full	data to	sep files with % subst (excludes  Con-
	      tentLog/ContentLogDir). Equivalent to -F command line option.

       LogProcInfo BOOL
	      Look up local process owning each	connection for logging.	Equiv-
	      alent to -i command line option.

       PcapLog STRING
	      Pcap log:	packets	to pcapfile (excludes  PcapLogDir/PcapLogPath-
	      Spec). Equivalent	to -X command line option.

       PcapLogDir STRING
	      Pcap   log:   packets   to   separate  files  in	dir  (excludes
	      PcapLog/PcapLogPathSpec).	Equivalent to -Y command line option.

       PcapLogPathSpec STRING
	      Pcap  log:  packets  to  sep  files  with	 %   subst   (excludes
	      PcapLog/PcapLogDir). Equivalent to -y command line option.

       MirrorIf	STRING
	      Mirror  packets  to interface. Equivalent	to -I command line op-
	      tion.

       MirrorTarget STRING
	      Mirror packets to	target address (used with  MirrorIf).  Equiva-
	      lent to -T command line option.

       MasterKeyLog STRING
	      Log  master  keys	to logfile in SSLKEYLOGFILE format. Equivalent
	      to -M command line option.

       Daemon BOOL
	      Daemon mode: run in background, log error	 messages  to  syslog.
	      Equivalent to -d command line option.

       Debug BOOL
	      Debug  mode:  run	 in  foreground, log debug messages on stderr.
	      Equivalent to -D command line option.

       DebugLevel NUMBER
	      Verbose debug level, 2-4.

       ConnIdleTimeout NUMBER
	      Close connections	after this many	seconds	of idle	time.
	      Default: 120

       ExpiredConnCheckPeriod NUMBER
	      Check for	expired	connections every this many seconds.
	      Default: 10.

       SSLShutdownRetryDelay NUMBER
	      Retry to shut ssl	conns down after this many micro seconds.  In-
	      creasing	this  delay  may avoid dirty shutdowns on slow connec-
	      tions, but increases resource usage, such	 as  file  descriptors
	      and memory.
	      Default: 100

       LogStats	BOOL
	      Log statistics to	syslog.	Equivalent to -J command line option.
	      Default: yes

       StatsPeriod NUMBER
	      Log statistics every this	many ExpiredConnCheckPeriod periods.
	      Default: 1

       RemoveHTTPAcceptEncoding	BOOL
	      Remove HTTP header line for Accept-Encoding.
	      Default: yes

       RemoveHTTPReferer BOOL
	      Remove HTTP header line for Referer.
	      Default: yes

       VerifyPeer BOOL
	      Verify peer using	default	certificates.
	      Default: yes

       AllowWrongHost BOOL
	      When disabled, never add the SNI to forged certificates, even if
	      the SNI provided by the client does not match  the  server  cer-
	      tificate's   CN/SAN.   Helps   pass   the	  wrong.host  test  at
	      https://badssl.com.
	      Default: no

       UserAuth	BOOL
	      Require authentication for users to use SSLproxy.
	      Default: no

       UserDBPath STRING
	      Path to user db file.

       UserTimeout NUMBER
	      Time users out after this	many seconds of	idle time.
	      Default: 300.

       UserAuthURL STRING
	      Redirect URL for users to	log in to the system.

       ValidateProto BOOL
	      Validate proxy spec protocols.
	      Default: no

       MaxHTTPHeaderSize NUMBER
	      Max HTTP header size in bytes for	protocol validation.
	      Default: 8192.

       OpenFilesLimit NUMBER
	      Set open files limit, use	50-10000.
	      Default: System-wide limit.

       ProxySpec STRING
	      One  line	 proxy	specification:	type  listenaddr+port  up:port
	      ua:addr  ra:addr.	  The other options of one line	proxyspecs are
	      set to the global	defaults.  Multiple specs are allowed, one  on
	      each line.

       ProxySpec {
	      Proto
	      Addr
	      Port
	      DivertAddr
	      DivertPort
	      ReturnAddr
	      NatEngine
	      SNIPort
	      TargetAddr
	      TargetPort
	      DenyOCSP
	      Passthrough
	      CACert
	      CAKey
	      ClientCert
	      ClientKey
	      CAChain
	      DHGroupParams
	      ECDHCurve
	      SSLCompression
	      ForceSSLProto
	      DisableSSLProto
	      Ciphers
	      RemoveHTTPAcceptEncoding
	      RemoveHTTPReferer
	      VerifyPeer
	      UserAuth
	      UserTimeout
	      UserAuthURL
	      ValidateProto
	      PassSite
	      }
	      Structured  proxy	 specifications	 may  consist  of  the options
	      listed above. The	Proto, Addr, Port, and DivertPort options  are
	      mandatory,  and equivalent to type, listenaddr, port, and	up op-
	      tions in one line	proxyspecs, respectively.  If an option	is not
	      specified, the global default value is used.

FILES
       /etc/sslproxy/sslproxy.conf

AUTHOR
       The config file facility	was added by Soner Tari	<sonertari@gmail.com>.

SEE ALSO
       sslproxy(1)

v0.7.0				  22 Jul 2019		      sslproxy.conf(5)

NAME | DESCRIPTION | FILE FORMAT | DIRECTIVES | FILES | AUTHOR | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=sslproxy.conf&sektion=5&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help