CONFIG_PRIVOXY_enable-external-filters \
CONFIG_PRIVOXY_enable-accept-filter \
CONFIG_PRIVOXY_enable-strptime-sanity-checks \
- CONFIG_PRIVOXY_enable-compression
+ CONFIG_PRIVOXY_enable-compression \
+ CONFIG_PRIVOXY_enable-https-inspection
include $(INCLUDE_DIR)/package.mk
URL:=https://www.privoxy.org/
USERID:=privoxy=8118:privoxy=8118
MENU:=1
- DEPENDS:=+!PRIVOXY_no_pcre:libpcre2 +!PRIVOXY_no_pthread:libpthread +!PRIVOXY_no_zlib:zlib
+ DEPENDS:=+!PRIVOXY_no_pcre:libpcre2 +!PRIVOXY_no_pthread:libpthread +!PRIVOXY_no_zlib:zlib +!PRIVOXY_no_openssl:libopenssl
endef
# shown in LuCI package description
$(if $(CONFIG_PRIVOXY_enable-external-filters),--enable-external-filters) \
$(if $(CONFIG_PRIVOXY_enable-accept-filter),--enable-accept-filter) \
$(if $(CONFIG_PRIVOXY_enable-strptime-sanity-checks),--enable-strptime-sanity-checks) \
- $(if $(CONFIG_PRIVOXY_enable-compression),--enable-compression)
+ $(if $(CONFIG_PRIVOXY_enable-compression),--enable-compression) \
+ $(if $(CONFIG_PRIVOXY_enable-https-inspection),--with-openssl)
# needed otherwise errors during compile
MAKE_FLAGS:=
PIDFILE=/var/run/privoxy.pid
CFGFILE=/var/etc/privoxy.conf
CFGTEMP=/var/etc/privoxy.conf.tmp
+SSLCERTSTEMP=/var/ssl
_uci2conf() {
# redefined callback for options when calling config_load
echo $__OPT | grep -i "_LENGTH" >/dev/null 2>&1 && return
# detect list options (ITEM) and ignore
echo $__OPT | grep -i "_ITEM" >/dev/null 2>&1 && __OPT=$(echo $__OPT | sed -e "s#_ITEM.*##g")
+ # Ignore certificate generation options (used only in init script)
+ case $__OPT in
+ certdir|ca_common_name|ca_validity_days|cert_validity_days|cert_key_size|enable_ssl_bumping|boot_delay|_enabled)
+ return
+ ;;
+ esac
# uci only accept "_" but we need "-"
local __OPT=$(echo $__OPT | sed -e "s#_#-#g")
# write to config
chown privoxy:privoxy $_LOGDIR/$_LOGFILE
echo -e "logdir\t$_LOGDIR" >> $CFGTEMP
echo -e "logfile\t$_LOGFILE" >> $CFGTEMP
-
+ _RECEIVE_BUFFER_SIZE=$(uci -q get privoxy.privoxy.receive-buffer-size) || _RECEIVE_BUFFER_SIZE="30000"
+ echo -e "receive-buffer-size\t$_RECEIVE_BUFFER_SIZE" >> $CFGTEMP
# confdir
# privoxy needs read access (possibly write access)
_CONFDIR=$(uci -q get privoxy.privoxy.confdir) || _CONFDIR="/etc/privoxy"
echo -e "temporary-directory\t$_TMP_DIR" >> $CFGTEMP
fi
+ # HTTPS Inspection (Section 7.7)
+ # ca-directory - directory for CA certificate and key files
+ # certificate-directory - directory for generated certificates
+ _CERT_DIR=$(uci -q get privoxy.privoxy.certdir)
+ if [ -n "$_CERT_DIR" ]; then
+ mkdir -m0700 -p $_CERT_DIR
+ chown privoxy:privoxy $_CERT_DIR
+ chmod 700 $_CERT_DIR
+
+ # Generate CA certificate if it doesn't exist or regeneration requested
+ _CA_CERT="$_CERT_DIR/ca-cert.pem"
+ _CA_KEY="$_CERT_DIR/ca-key.pem"
+ _REGEN_FILE="/etc/privoxy/regenerate_ca"
+ if [ -f "$_REGEN_FILE" ]; then
+ rm -f "$_CA_CERT" "$_CA_KEY"
+ rm -f "$_REGEN_FILE"
+ fi
+ if [ ! -f "$_CA_CERT" ] || [ ! -f "$_CA_KEY" ]; then
+ _CA_NAME=$(uci -q get privoxy.privoxy.ca_common_name) || _CA_NAME="Privoxy CA"
+ _CA_DAYS=$(uci -q get privoxy.privoxy.ca_validity_days) || _CA_DAYS="3650"
+ _CERT_DAYS=$(uci -q get privoxy.privoxy.cert_validity_days) || _CERT_DAYS="365"
+ _CERT_KEY_SIZE=$(uci -q get privoxy.privoxy.cert_key_size) || _CERT_KEY_SIZE="2048"
+ logger -p daemon.info -t "privoxy[]" "Generating CA certificate for HTTPS inspection"
+ openssl req -new -newkey rsa:$_CERT_KEY_SIZE -days $_CA_DAYS -nodes -x509 \
+ -subj "/CN=$_CA_NAME" -keyout "$_CA_KEY" -out "$_CA_CERT" 2>/dev/null
+ fi
+
+ # Set permissions: CA cert is public (readable by all), private key is secure
+ chmod 644 "$_CA_CERT"
+ chown root:root "$_CA_CERT"
+ chmod 600 "$_CA_KEY"
+ chown privoxy:privoxy "$_CA_KEY"
+
+ # Create symlink for trustedCAs.pem pointing to system CA certificates
+ _TRUSTED_CAS="$_CERT_DIR/trustedCAs.pem"
+ _SYSTEM_CA_CRT="/etc/ssl/certs/ca-certificates.crt"
+ if [ ! -f "$_TRUSTED_CAS" ]; then
+ if [ -f "$_SYSTEM_CA_CRT" ]; then
+ ln -sf "$_SYSTEM_CA_CRT" "$_TRUSTED_CAS"
+ else
+ # Fallback: use the CA bundle from ca-cert package
+ _CA_BUNDLE="/etc/ssl/certs/ca-bundle.crt"
+ if [ -f "$_CA_BUNDLE" ]; then
+ ln -sf "$_CA_BUNDLE" "$_TRUSTED_CAS"
+ fi
+ fi
+ fi
+
+ # Write ca-directory directive (directory containing ca-cert.pem and ca-key.pem)
+ echo -e "ca-directory\t$_CERT_DIR" >> $CFGTEMP
+
+ # Write ca-cert-file directive (full path to CA certificate)
+ echo -e "ca-cert-file\t$_CA_CERT" >> $CFGTEMP
+
+ # Write ca-key-file directive (full path to CA key)
+ echo -e "ca-key-file\t$_CA_KEY" >> $CFGTEMP
+
+ # Write certificate-directory directive (directory for generated certificates)
+ mkdir -m777 -p $SSLCERTSTEMP
+ echo -e "certificate-directory\t$SSLCERTSTEMP" >> $CFGTEMP
+ fi
+
+ # enable-ssl-bumping
+ _SSL_BUMP=$(uci -q get privoxy.privoxy.enable_ssl_bumping)
+ if [ "$_SSL_BUMP" = "1" ]; then
+ echo -e "enable-ssl-bumping\t1" >> $CFGTEMP
+ fi
+
+ # trustfile
+ _TRUSTFILE=$(uci -q get privoxy.privoxy.trustfile)
+ if [ -n "$_TRUSTFILE" ]; then
+ echo -e "trustfile\t$_TRUSTFILE" >> $CFGTEMP
+ fi
+
config_load "privoxy" # calling above option_cb() and write the rest into $CFGTEMP
# move temp to final privoxy readable configuration
}
boot() {
+ # check if privoxy is enabled
+ [ "$(uci -q get privoxy.privoxy._enabled)" != "1" ] && return 0
+
# wait a given time (default 10 seconds) before startup
# to wait for interfaces to come up / not using hotplug events during boot
_start() {
}
local _DELAY
- _DELAY=$(uci_get "privoxy" "system" "boot_delay" "10")
+ _DELAY=$(uci -q get privoxy.privoxy.boot_delay)
_start $_DELAY &
return 0
}
git.99rst.org / openwrt-packages.git / commitdiff