aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Ankarström <john@ankarstrom.se>2020-10-30 01:00:10 +0100
committerJohn Ankarström <john@ankarstrom.se>2020-10-30 13:55:15 +0100
commit921ab162423f8b474962e7c31ca144daf954e08b (patch)
treed77597cde66d2bdb6bb82dc71aca94115e5d8c6b
downloadalpine-sslproxy.tar.gz
First commitsslproxy
-rw-r--r--squid.conf55
-rw-r--r--stunnel.conf38
2 files changed, 93 insertions, 0 deletions
diff --git a/squid.conf b/squid.conf
new file mode 100644
index 0000000..35ffbe7
--- /dev/null
+++ b/squid.conf
@@ -0,0 +1,55 @@
+# WELCOME TO SQUID 3.5.23
+# ----------------------------
+#
+
+acl Safe_ports port 443 # https
+acl Safe_ports port 80 # http
+acl Safe_ports port 21 # ftp
+acl Safe_ports port 443 # https
+acl Safe_ports port 70 # gopher
+acl Safe_ports port 210 # wais
+acl Safe_ports port 1025-65535 # unregistered ports
+acl Safe_ports port 280 # http-mgmt
+acl Safe_ports port 488 # gss-http
+acl Safe_ports port 591 # filemaker
+acl Safe_ports port 777 # multiling http
+acl CONNECT method CONNECT
+
+shutdown_lifetime 3 seconds
+
+# Deny requests to certain unsafe ports
+http_access deny !Safe_ports
+
+# Only allow cachemgr access from localhost
+#Enter your own subnet of course...
+acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
+acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
+http_access allow localnet
+http_access allow localhost manager
+http_access deny manager
+
+#http_access allow localnet
+http_access allow localhost
+
+# And finally deny all other access to this proxy
+http_access deny all
+
+# Squid normally listens to port 3128
+http_port 3128 ssl-bump cert=/etc/squid/ca.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
+
+sslcrtd_program /usr/lib/squid/security_file_certgen -s /var/lib/ssl_db -M 4MB
+
+acl step1 at_step SslBump1
+
+ssl_bump peek step1
+ssl_bump bump all
+
+# Leave coredumps in the first cache dir
+coredump_dir /var/cache/squid
+
+# Add any of your own refresh_pattern entries above these.
+#
+refresh_pattern ^ftp: 1440 20% 10080
+refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
+refresh_pattern . 0 20% 4320
diff --git a/stunnel.conf b/stunnel.conf
new file mode 100644
index 0000000..306f27f
--- /dev/null
+++ b/stunnel.conf
@@ -0,0 +1,38 @@
+# Certificate/key is needed in server mode and optional in client mode
+cert = /etc/stunnel/stunnel.pem
+key = /etc/stunnel/stunnel.pem
+
+# Some security enhancements for UNIX systems - comment them out on Win32
+# chroot = /chroot/stunnel/
+setuid = stunnel
+setgid = stunnel
+# PID is created inside chroot jail
+pid = /run/stunnel/stunnel.pid
+
+# Some performance tunings
+socket = l:TCP_NODELAY=1
+socket = r:TCP_NODELAY=1
+#compression = rle
+
+# Workaround for Eudora bug
+options = DONT_INSERT_EMPTY_FRAGMENTS
+
+# Some debugging stuff useful for troubleshooting
+#debug = 7
+#output = stunnel.log
+
+# Use it for client mode
+client = yes
+
+# Service-level configuration
+
+[imap]
+accept = 143
+connect = IMAP.EXAMPLE.ORG:IMAP_PORT
+
+[smtp]
+accept = 25
+connect = SMTP.EXAMPLE.ORG:SMTP_PORT
+protocol = smtp
+protocolUsername = SMTP_USERNAME
+protocolPassword = SMTP_PASSWORD