From e6fc081182efca658e64387b945508d33180e9fb Mon Sep 17 00:00:00 2001 From: Horia Racoviceanu Date: Mon, 9 Apr 2018 18:13:18 -0400 Subject: [PATCH 1/6] Fix #125 - Connect to switch0 at reboot --- src/etc/hostname.switch0 | 1 - src/var/cron/tabs/root | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/src/etc/hostname.switch0 b/src/etc/hostname.switch0 index 8ec73af..2a687ee 100644 --- a/src/etc/hostname.switch0 +++ b/src/etc/hostname.switch0 @@ -2,4 +2,3 @@ description "switchd interface" addlocal vether0 #add tap0 up -!switchctl connect /dev/switch0 diff --git a/src/var/cron/tabs/root b/src/var/cron/tabs/root index 88dfbf9..b5dd7c3 100644 --- a/src/var/cron/tabs/root +++ b/src/var/cron/tabs/root @@ -30,4 +30,4 @@ HOME=/var/log # schedule ends at 5pm 0 17 * * * pfctl -t schedule -T flush > /dev/null 2>&1; /sbin/pfctl -k label -k schedule > /dev/null 2>&1 # sticky mfs /tmp -@reboot chmod 1777 /tmp +@reboot chmod 1777 /tmp; switchctl connect /dev/switch0 From 5a9aba1ab76f767e4a214b87091aa57f6840f3c1 Mon Sep 17 00:00:00 2001 From: Horia Racoviceanu Date: Mon, 9 Apr 2018 18:14:27 -0400 Subject: [PATCH 2/6] Remove comment --- src/etc/iked-vedetta.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/etc/iked-vedetta.conf b/src/etc/iked-vedetta.conf index 96a9dc4..a233aa8 100644 --- a/src/etc/iked-vedetta.conf +++ b/src/etc/iked-vedetta.conf @@ -1,5 +1,3 @@ -# (!) strongSwan http://marc.info/?l=openbsd-tech&m=149844148709729&w=2 - ikev2 "road-warrior-IPv4" passive ipcomp esp inet \ from 0.0.0.0/0 to 10.10.200.0/24 \ local em0 peer 0.0.0.0/0 \ @@ -19,4 +17,4 @@ ikev2 "road-warrior-IPv6" passive ipcomp esp inet6 \ config access-server 2001:470:b35c:deaf::ace:face \ config protected-subnet ::0/0 \ tag VPN \ - tap enc1 + tap "enc1" From 459593a9d29dee00fe8622c24ea050e9c5149393 Mon Sep 17 00:00:00 2001 From: Horia Racoviceanu Date: Mon, 9 Apr 2018 18:14:55 -0400 Subject: [PATCH 3/6] Remove default --- src/etc/rc.conf.local | 1 - 1 file changed, 1 deletion(-) diff --git a/src/etc/rc.conf.local b/src/etc/rc.conf.local index c49089d..109598d 100644 --- a/src/etc/rc.conf.local +++ b/src/etc/rc.conf.local @@ -18,7 +18,6 @@ switchd_flags= syslogd_flags="${syslogd_flags} -a /var/unbound/dev/log -a /var/nsd/dev/log" hotplugd_flags= sensorsd_flags= -pf=YES # IKEv1 or IKEv2 #ipsec=YES # Load ipsec.conf(5) # IKEv2 From c9e79218aa8b3320c75a8505c4738c142d09e98d Mon Sep 17 00:00:00 2001 From: Horia Racoviceanu Date: Mon, 9 Apr 2018 18:15:12 -0400 Subject: [PATCH 4/6] Update header --- src/etc/relayd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/etc/relayd.conf b/src/etc/relayd.conf index 5188f94..90bbe3a 100644 --- a/src/etc/relayd.conf +++ b/src/etc/relayd.conf @@ -1,4 +1,4 @@ -# $OpenBSD: relayd.conf,v 1.3 2014/12/12 10:05:09 reyk Exp $ +# $OpenBSD: relayd.conf,v 1.4 2018/03/23 09:55:06 claudio Exp $ # # Macros # From 7452b87be19356f26bb785faf415d512da8fd698 Mon Sep 17 00:00:00 2001 From: Horia Racoviceanu Date: Tue, 10 Apr 2018 02:35:15 -0400 Subject: [PATCH 5/6] Use tab --- src/etc/relayd.conf.relay.https | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/etc/relayd.conf.relay.https b/src/etc/relayd.conf.relay.https index f1e0b50..ab176b3 100644 --- a/src/etc/relayd.conf.relay.https +++ b/src/etc/relayd.conf.relay.https @@ -22,7 +22,7 @@ http protocol https { # (!) Non-standard # match header set "Keep-Alive" value "$TIMEOUT" - # Anonimize (opt-in data collection and tracking) + # Anonimize (opt-in data collection and tracking) match response header set "Server" value "OpenBSD relayd" match response header remove "X-Powered-By" From 34eb28a4d816cb01eb559722b1d29b8ff236698e Mon Sep 17 00:00:00 2001 From: Horia Racoviceanu Date: Tue, 10 Apr 2018 02:38:33 -0400 Subject: [PATCH 6/6] Fix #82 - TLS inspection (MITM) with relayd --- README.md | 16 +++++++++++++++- src/etc/pf.conf | 10 ++++++++++ src/etc/relayd.conf | 3 ++- src/etc/relayd.conf.proxy.https | 24 ++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 2 deletions(-) create mode 100644 src/etc/relayd.conf.proxy.https diff --git a/README.md b/README.md index 2dc7003..1296ac3 100644 --- a/README.md +++ b/README.md @@ -222,7 +222,7 @@ Share what you've got, keep what you need: - *Usage:* - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf` - `dig ipv6.google.com aaaa` -* [relayd](https://man.openbsd.org/relayd) - relay daemon for loadbalancing, SSL/TLS acceleration, DNS-sanitizing, SSH gateway, and transparent HTTP proxy +* [relayd](https://man.openbsd.org/relayd) - relay daemon for loadbalancing, SSL/TLS acceleration, DNS-sanitizing, SSH gateway, transparent HTTP proxy, and TLS inspection ([MITM](https://github.com/vedetta-com/vedetta/issues/82#issuecomment-363907251)) - *Configure:* - [`etc/acme-client.conf`](src/etc/acme-client.conf) - [`etc/httpd.conf`](src/etc/httpd.conf) @@ -235,10 +235,24 @@ Share what you've got, keep what you need: - `cd `[`/etc/ssl/private`](src/etc/ssl/private) - `ln -s ../acme/private/freedns.afraid.org.key 10.10.10.11:443.key` - `ln -s ../acme/private/freedns.afraid.org.key fd80:1fe9:fcee:1337::ace:babe:443.key` + - `mkdir -p /etc/ssl/relayd/private` + - `openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/relayd/private/ca.key -out /etc/ssl/relayd/ca.crt` + - `echo 'subjectAltName=DNS:relay.vedetta.lan' > /etc/ssl/relayd/server.ext` + - `openssl genrsa -out /etc/ssl/relayd/private/relay.vedetta.lan.key 2048` + - `openssl req -new -key /etc/ssl/relayd/private/relay.vedetta.lan.key -out /etc/ssl/relayd/private/relay.vedetta.lan.csr -nodes` + - `openssl x509 -sha256 -req -days 365 -in /etc/ssl/relayd/private/relay.vedetta.lan.csr -CA /etc/ssl/relayd/ca.crt -CAkey /etc/ssl/relayd/private/ca.key -CAcreateserial -extfile /etc/ssl/relayd/server.ext -out /etc/ssl/relayd/relay.vedetta.lan.crt` + - `cd /etc/ssl` + - `ln -s relayd/relay.vedetta.lan.crt 127.0.0.1.crt` + - `ln -s relayd/relay.vedetta.lan.crt ::1.crt` + - `cd /etc/ssl/private` + - `ln -s ../relayd/private/relay.vedetta.lan.key 127.0.0.1.key` + - `ln -s ../relayd/private/relay.vedetta.lan.key ::1.key` - *Usage:* - [`pfctl`](https://man.openbsd.org/pfctl)` -f /etc/pf.conf` - [`rcctl`](https://man.openbsd.org/rcctl)` enable relayd` - [`rcctl`](https://man.openbsd.org/rcctl)` start relayd` + - [`pfctl`](https://man.openbsd.org/pfctl)` -T add -t httpfilter $ip` + - [`pfctl`](https://man.openbsd.org/pfctl)` -T add -t tlsinspect $ip` * [rtadvd](https://man.openbsd.org/rtadvd) - router advertisement daemon - *Configure:* - [`etc/pf.conf`](src/etc/pf.conf) diff --git a/src/etc/pf.conf b/src/etc/pf.conf index 4ae1472..9df75bd 100644 --- a/src/etc/pf.conf +++ b/src/etc/pf.conf @@ -352,6 +352,16 @@ anchor "internal" on { lan wlan enc tun } proto { tcp udp } { tag LAN6_SELF6 } + # relayd HTTP layer7 TLS inspection (split IPv4/6) + anchor proto tcp from to port https tagged LAN_INET { + pass log inet \ + divert-to lo0 port 8443 \ + tag LAN_SELF + pass log inet6 \ + divert-to lo0 port 8443 \ + tag LAN6_SELF6 + } + # Split IPv4/6 from LAN_INET (!) not for proxy (e.g. divert-to, rdr-to) anchor inet6 tagged LAN_INET { match tag LAN6_INET6 diff --git a/src/etc/relayd.conf b/src/etc/relayd.conf index 90bbe3a..b262329 100644 --- a/src/etc/relayd.conf +++ b/src/etc/relayd.conf @@ -68,4 +68,5 @@ include "/etc/relayd.conf.proxy.http" # # Relay and protocol for a transparent HTTPS proxy # -# -current only (!) see https://github.com/vedetta-com/vedetta/issues/82 +# (!) see https://github.com/vedetta-com/vedetta/issues/82 +include "/etc/relayd.conf.proxy.https" diff --git a/src/etc/relayd.conf.proxy.https b/src/etc/relayd.conf.proxy.https new file mode 100644 index 0000000..48a67e8 --- /dev/null +++ b/src/etc/relayd.conf.proxy.https @@ -0,0 +1,24 @@ +http protocol httpsfilter { + return error + match header set "Connection" value "close" + + pass +# pass quick url file "/etc/relayd.d/custom_whitelist" +# block url file "/etc/relayd.d/custom_blacklist" +# include "/etc/relayd.d/auto_blacklist" + + tls ca key "/etc/ssl/relayd/private/ca.key" password "AvenaCrucio" + tls ca cert "/etc/ssl/relayd/ca.crt" # import on client +} + +relay tlsinspect { + # Listen on localhost, accept diverted connections from pf(4) + listen on 127.0.0.1 port 8443 tls + listen on ::1 port 8443 tls + + protocol httpsfilter + + # Forward to the original target host + forward with tls to destination +} +