OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: JDA on September 09, 2023, 11:49:51 pm

Title: Transparent Proxy with SSL SNI only inspection and whitelist feature
Post by: JDA on September 09, 2023, 11:49:51 pm

I'm currently trying to set up my squid as proxy to restrict internet access to certain servers. As I don't want to update all the clients, I'm trying a transparent proxy with "Log SNI information only".
This works fine as long as I have the client in "Unrestricted IP addresses". The access log shows both a CONNECT to the IP and the actual servername. But as soon as I want to use the whitelist feature, it doesn't work -> I assume the ACL is evaluated too early in the bump/peak process (at_step acl option?).

Am I correct or is it just a layer 8 error?
Has anyone a working example on how to allow some https URLs with a transparent proxy without modifying the clients?

Title: Re: Transparent Proxy with SSL SNI only inspection and whitelist feature
Post by: JDA on September 10, 2023, 08:48:36 pm

I tried a few variants, but my current solution right now is:

Code: [Select]

http_access allow bump_step1
acl whiteListSSL ssl::server_name login.microsoftonline.com
http_access allow whiteListSSL