OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • ClamAV on HTTPS Traffic using Web Proxy - Connection timing out
« previous next »
  • Print
Pages: [1]

Author Topic: ClamAV on HTTPS Traffic using Web Proxy - Connection timing out  (Read 5806 times)

Ren

  • Jr. Member
  • **
  • Posts: 52
  • Karma: 3
    • View Profile
ClamAV on HTTPS Traffic using Web Proxy - Connection timing out
« on: December 02, 2017, 07:54:31 pm »
I'm currently running into issues configuring CLAMAV + Web Proxy to inspect HTTPS traffic. Each time i enable the functionality all websites except for google fail to load as the connection to each site times out.

Firewall Rule for HTTPS set

Code: [Select]
LAN TCP LAN net * * 80 (HTTP) 127.0.0.1 3128 redirect traffic to proxy    
LAN TCP LAN net * * 443 (HTTPS) 127.0.0.1 3129 redirect traffic to proxy

I do not see any errors in the access logs nor cache
Code: [Select]
192.168.5.127 - 54:60:********** - [02/Dec/2017:13:27:22 -0500] "HEAD http://clients1.google.com/generate_204 HTTP/1.1" 204 228 "-" "-" TCP_MISS:ORIGINAL_DST
192.168.5.121 - 1c:1b********** - [02/Dec/2017:13:26:40 -0500] "GET http://twitch.tv/ HTTP/1.1" 302 474 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36" TCP_MISS:ORIGINAL_DST
192.168.5.121 - 1c:1b********** - [02/Dec/2017:13:25:39 -0500] "GET http://cdn.content.prod.cms.msn.com/singletile/summary/alias/experiencebyname/today? HTTP/1.1" 200 1724 "-" "Microsoft-WNS/10.0" TCP_REFRESH_MODIFIED:ORIGINAL_DST
192.168.5.127 - 54:60:********** - [02/Dec/2017:13:24:08 -0500] "HEAD http://clients1.google.com/generate_204 HTTP/1.1" 204 228 "-" "-" TCP_MISS:ORIGINAL_DST
192.168.5.127 - 54:60:********** - [02/Dec/2017:13:23:31 -0500] "HEAD http://clients1.google.com/generate_204 HTTP/1.1" 204 228 "-" "-" TCP_MISS:ORIGINAL_DST


The system log is complaining there isnt a valid cert for  traffic on port 3128. Even though SSL traffic is on port 3129 (im using a valid letsencrypt cert for SSL)

Code: [Select]
Dec 2 13:22:57 squid: No valid signing SSL certificate configured for HTTP_port 127.0.0.1:3128
Dec 2 13:21:16 squid: No valid signing SSL certificate configured for HTTP_port 127.0.0.1:3128

What am i missing ?
Logged

bobbythomas

  • Full Member
  • ***
  • Posts: 134
  • Karma: 5
    • View Profile
Re: ClamAV on HTTPS Traffic using Web Proxy - Connection timing out
« Reply #1 on: December 12, 2017, 06:45:09 am »
I think you might have configured the proxy incorrectly. Are you using letsencrypt cert for ssl inspection? You cannot use letsencrypt for ssl inspection, you will need an internal CA or self signed cert. Please go through the proxy documentation once again.

Thank you,
Regards,
Bobby Thomas
Logged

Ren

  • Jr. Member
  • **
  • Posts: 52
  • Karma: 3
    • View Profile
Re: ClamAV on HTTPS Traffic using Web Proxy - Connection timing out
« Reply #2 on: December 13, 2017, 11:45:10 pm »
Quote from: bobbythomas on December 12, 2017, 06:45:09 am
I think you might have configured the proxy incorrectly. Are you using letsencrypt cert for ssl inspection? You cannot use letsencrypt for ssl inspection, you will need an internal CA or self signed cert. Please go through the proxy documentation once again.

Thank you,
Regards,
Bobby Thomas

Hmmm why can't i use a letsencrypt cert ? I know the documentations states using a  self signed cert however i wanted to bypass importing of that cert to my workstations by using a cert issued by letsencrypt thats tied to my dynamic dns by duckdns . As such it should be valid cert and not receive any warnings
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6279
  • Karma: 432
    • View Profile
Re: ClamAV on HTTPS Traffic using Web Proxy - Connection timing out
« Reply #3 on: December 14, 2017, 10:06:36 am »
When you want to enable SSL scanning you need a CA which creates a certfiicate for every site you visit on the fly. Don't think this will work with Let's encrypt.

You can roll out the self-signed CA via GPO for example .. ?

This is also the commercial vendors do SSL scanning.

Edit Fabian: Fix Typo
« Last Edit: December 15, 2017, 09:07:23 pm by fabian »
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: ClamAV on HTTPS Traffic using Web Proxy - Connection timing out
« Reply #4 on: December 15, 2017, 09:10:21 pm »
Quote from: mimugmail on December 14, 2017, 10:06:36 am
When you want to enable SSL scanning you need a CA which creates a certfiicate for every site you visit on the fly. Don't think this will work with Let's encrypt.

No CA will give you such a certificate as this should result in the removal from trust stores which renders the CA useless.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • ClamAV on HTTPS Traffic using Web Proxy - Connection timing out
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2