From: Richard Schneidt Date: Sun, 7 Jun 2026 14:09:05 +0000 (+0200) Subject: privoxy: add support for https inspection X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=d373e0ec7d600ba31c0d5b16a0f7ac4234a63047;p=openwrt-packages.git privoxy: add support for https inspection Creates CA and server cert for use with https inspection Signed-off-by: Richard Schneidt --- diff --git a/net/privoxy/Config.in b/net/privoxy/Config.in index b4a629d58..d66385ceb 100644 --- a/net/privoxy/Config.in +++ b/net/privoxy/Config.in @@ -110,6 +110,14 @@ if PACKAGE_privoxy depends on !PRIVOXY_no_zlib default n + config PRIVOXY_enable-https-inspection + bool "Allow Privoxy to filter encrypted requests and responses. " + help + Allow Privoxy to filter encrypted requests and responses. Requires openssl support. + depends on !PRIVOXY_no_openssl + default n + + endif \ No newline at end of file diff --git a/net/privoxy/Makefile b/net/privoxy/Makefile index 2dc118a26..903a7354e 100644 --- a/net/privoxy/Makefile +++ b/net/privoxy/Makefile @@ -47,7 +47,8 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_PRIVOXY_enable-external-filters \ CONFIG_PRIVOXY_enable-accept-filter \ CONFIG_PRIVOXY_enable-strptime-sanity-checks \ - CONFIG_PRIVOXY_enable-compression + CONFIG_PRIVOXY_enable-compression \ + CONFIG_PRIVOXY_enable-https-inspection include $(INCLUDE_DIR)/package.mk @@ -59,7 +60,7 @@ define Package/privoxy URL:=https://www.privoxy.org/ USERID:=privoxy=8118:privoxy=8118 MENU:=1 - DEPENDS:=+!PRIVOXY_no_pcre:libpcre2 +!PRIVOXY_no_pthread:libpthread +!PRIVOXY_no_zlib:zlib + DEPENDS:=+!PRIVOXY_no_pcre:libpcre2 +!PRIVOXY_no_pthread:libpthread +!PRIVOXY_no_zlib:zlib +!PRIVOXY_no_openssl:libopenssl endef # shown in LuCI package description @@ -106,7 +107,8 @@ CONFIGURE_ARGS += \ $(if $(CONFIG_PRIVOXY_enable-external-filters),--enable-external-filters) \ $(if $(CONFIG_PRIVOXY_enable-accept-filter),--enable-accept-filter) \ $(if $(CONFIG_PRIVOXY_enable-strptime-sanity-checks),--enable-strptime-sanity-checks) \ - $(if $(CONFIG_PRIVOXY_enable-compression),--enable-compression) + $(if $(CONFIG_PRIVOXY_enable-compression),--enable-compression) \ + $(if $(CONFIG_PRIVOXY_enable-https-inspection),--with-openssl) # needed otherwise errors during compile MAKE_FLAGS:= diff --git a/net/privoxy/files/privoxy.config b/net/privoxy/files/privoxy.config index 95b6cf10c..c5262e899 100644 --- a/net/privoxy/files/privoxy.config +++ b/net/privoxy/files/privoxy.config @@ -36,9 +36,20 @@ config privoxy 'privoxy' option split_large_forms '0' option keep_alive_timeout '300' option socket_timeout '300' + option receive-buffer-size '30000' list permit_access '192.168.1.0/24' option debug_1 '0' option debug_512 '1' option debug_1024 '0' option debug_4096 '1' option debug_8192 '1' +# +# HTTPS Inspection (Section 7.7 of Privoxy User Manual) +# +# option enable_ssl_bumping '0' +# option certdir '/etc/privoxy/ssl' +# option ca_common_name 'Privoxy CA' +# option ca_validity_days '3650' +# option cert_validity_days '365' +# option cert_key_size '2048' +# list trustfile 'user.trust' diff --git a/net/privoxy/files/privoxy.init b/net/privoxy/files/privoxy.init index ae493c2bd..e26bbbfa1 100644 --- a/net/privoxy/files/privoxy.init +++ b/net/privoxy/files/privoxy.init @@ -6,6 +6,7 @@ STOP=10 PIDFILE=/var/run/privoxy.pid CFGFILE=/var/etc/privoxy.conf CFGTEMP=/var/etc/privoxy.conf.tmp +SSLCERTSTEMP=/var/ssl _uci2conf() { # redefined callback for options when calling config_load @@ -33,6 +34,12 @@ _uci2conf() { echo $__OPT | grep -i "_LENGTH" >/dev/null 2>&1 && return # detect list options (ITEM) and ignore echo $__OPT | grep -i "_ITEM" >/dev/null 2>&1 && __OPT=$(echo $__OPT | sed -e "s#_ITEM.*##g") + # Ignore certificate generation options (used only in init script) + case $__OPT in + certdir|ca_common_name|ca_validity_days|cert_validity_days|cert_key_size|enable_ssl_bumping|boot_delay|_enabled) + return + ;; + esac # uci only accept "_" but we need "-" local __OPT=$(echo $__OPT | sed -e "s#_#-#g") # write to config @@ -71,7 +78,8 @@ _uci2conf() { chown privoxy:privoxy $_LOGDIR/$_LOGFILE echo -e "logdir\t$_LOGDIR" >> $CFGTEMP echo -e "logfile\t$_LOGFILE" >> $CFGTEMP - + _RECEIVE_BUFFER_SIZE=$(uci -q get privoxy.privoxy.receive-buffer-size) || _RECEIVE_BUFFER_SIZE="30000" + echo -e "receive-buffer-size\t$_RECEIVE_BUFFER_SIZE" >> $CFGTEMP # confdir # privoxy needs read access (possibly write access) _CONFDIR=$(uci -q get privoxy.privoxy.confdir) || _CONFDIR="/etc/privoxy" @@ -103,6 +111,80 @@ _uci2conf() { echo -e "temporary-directory\t$_TMP_DIR" >> $CFGTEMP fi + # HTTPS Inspection (Section 7.7) + # ca-directory - directory for CA certificate and key files + # certificate-directory - directory for generated certificates + _CERT_DIR=$(uci -q get privoxy.privoxy.certdir) + if [ -n "$_CERT_DIR" ]; then + mkdir -m0700 -p $_CERT_DIR + chown privoxy:privoxy $_CERT_DIR + chmod 700 $_CERT_DIR + + # Generate CA certificate if it doesn't exist or regeneration requested + _CA_CERT="$_CERT_DIR/ca-cert.pem" + _CA_KEY="$_CERT_DIR/ca-key.pem" + _REGEN_FILE="/etc/privoxy/regenerate_ca" + if [ -f "$_REGEN_FILE" ]; then + rm -f "$_CA_CERT" "$_CA_KEY" + rm -f "$_REGEN_FILE" + fi + if [ ! -f "$_CA_CERT" ] || [ ! -f "$_CA_KEY" ]; then + _CA_NAME=$(uci -q get privoxy.privoxy.ca_common_name) || _CA_NAME="Privoxy CA" + _CA_DAYS=$(uci -q get privoxy.privoxy.ca_validity_days) || _CA_DAYS="3650" + _CERT_DAYS=$(uci -q get privoxy.privoxy.cert_validity_days) || _CERT_DAYS="365" + _CERT_KEY_SIZE=$(uci -q get privoxy.privoxy.cert_key_size) || _CERT_KEY_SIZE="2048" + logger -p daemon.info -t "privoxy[]" "Generating CA certificate for HTTPS inspection" + openssl req -new -newkey rsa:$_CERT_KEY_SIZE -days $_CA_DAYS -nodes -x509 \ + -subj "/CN=$_CA_NAME" -keyout "$_CA_KEY" -out "$_CA_CERT" 2>/dev/null + fi + + # Set permissions: CA cert is public (readable by all), private key is secure + chmod 644 "$_CA_CERT" + chown root:root "$_CA_CERT" + chmod 600 "$_CA_KEY" + chown privoxy:privoxy "$_CA_KEY" + + # Create symlink for trustedCAs.pem pointing to system CA certificates + _TRUSTED_CAS="$_CERT_DIR/trustedCAs.pem" + _SYSTEM_CA_CRT="/etc/ssl/certs/ca-certificates.crt" + if [ ! -f "$_TRUSTED_CAS" ]; then + if [ -f "$_SYSTEM_CA_CRT" ]; then + ln -sf "$_SYSTEM_CA_CRT" "$_TRUSTED_CAS" + else + # Fallback: use the CA bundle from ca-cert package + _CA_BUNDLE="/etc/ssl/certs/ca-bundle.crt" + if [ -f "$_CA_BUNDLE" ]; then + ln -sf "$_CA_BUNDLE" "$_TRUSTED_CAS" + fi + fi + fi + + # Write ca-directory directive (directory containing ca-cert.pem and ca-key.pem) + echo -e "ca-directory\t$_CERT_DIR" >> $CFGTEMP + + # Write ca-cert-file directive (full path to CA certificate) + echo -e "ca-cert-file\t$_CA_CERT" >> $CFGTEMP + + # Write ca-key-file directive (full path to CA key) + echo -e "ca-key-file\t$_CA_KEY" >> $CFGTEMP + + # Write certificate-directory directive (directory for generated certificates) + mkdir -m777 -p $SSLCERTSTEMP + echo -e "certificate-directory\t$SSLCERTSTEMP" >> $CFGTEMP + fi + + # enable-ssl-bumping + _SSL_BUMP=$(uci -q get privoxy.privoxy.enable_ssl_bumping) + if [ "$_SSL_BUMP" = "1" ]; then + echo -e "enable-ssl-bumping\t1" >> $CFGTEMP + fi + + # trustfile + _TRUSTFILE=$(uci -q get privoxy.privoxy.trustfile) + if [ -n "$_TRUSTFILE" ]; then + echo -e "trustfile\t$_TRUSTFILE" >> $CFGTEMP + fi + config_load "privoxy" # calling above option_cb() and write the rest into $CFGTEMP # move temp to final privoxy readable configuration @@ -111,6 +193,9 @@ _uci2conf() { } boot() { + # check if privoxy is enabled + [ "$(uci -q get privoxy.privoxy._enabled)" != "1" ] && return 0 + # wait a given time (default 10 seconds) before startup # to wait for interfaces to come up / not using hotplug events during boot _start() { @@ -122,7 +207,7 @@ boot() { } local _DELAY - _DELAY=$(uci_get "privoxy" "system" "boot_delay" "10") + _DELAY=$(uci -q get privoxy.privoxy.boot_delay) _start $_DELAY & return 0 } diff --git a/net/privoxy/files/privoxy.upgrade b/net/privoxy/files/privoxy.upgrade index ef198a278..82f5c4d18 100644 --- a/net/privoxy/files/privoxy.upgrade +++ b/net/privoxy/files/privoxy.upgrade @@ -2,3 +2,4 @@ /etc/privoxy/user.action /etc/privoxy/user.filter /etc/privoxy/user.trust +/etc/privoxy/ssl