Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: hunter86_bg on September 13, 2020, 09:17:42 AM

Title: Cannot setup https proxy
Post by: hunter86_bg on September 13, 2020, 09:17:42 AM
Hello All,

I'm trying to setup a proxy in non-transparent mode (without the firewall rules), but it seems that Opnsense is not listening on port 3129 on the LAN interface:

Code Select
root@firewall1:~ # netstat -aL | grep 3128
tcp4  0/0/128                          firewall1.3128         
tcp6  0/0/128                          localhost.3128         
tcp4  0/0/128                          localhost.3128         
root@firewall1:~ # netstat -aL | grep 3129
tcp6  0/0/128                          localhost.3129         
tcp4  0/0/128                          localhost.3129

Any ideas how to force the ssl proxy to listen on firewall1.3129 ?
Title: Re: Cannot setup https proxy
Post by: hunter86_bg on September 13, 2020, 11:44:49 AM
I guess my previous post was not very clear what I'm trying to setup and this makes the situation worse.
I have some IoT that do not support proxy , and if I use a redirect for all - it will cause them to stop working.
Also, I don't want to play with the proxy too much (access/deny) and it would be simpler if some systems use the proxy others rely on the firewall rules.

Instead I want to create a proxy (http, https & ftp) for systems that explicitly are configured to use it (like VMs, specific laptops, etc).

The initial idea was to configure the proxy as per the transparent proxy guide , but omit the firewall rules.

Yet, if I disable the ' Enable Transparent HTTP proxy' everything dies (nothing listens on 3128, nor 3129). So I left it running and still I cannot reach some sites like google.

I've added a rule to redirect any traffic to the Firewall's 3129 to be forwarded to 'localhost:3129' and it seems that I can reach the proxy , just to see that it is not processing my request.

Some output:
Code Select
[root@system1 ~]# echo $http_proxy
http://192.168.1.1:3128
[root@system1 ~]# echo $https_proxy
https://192.168.1.1:3129
[root@system1 ~]# echo $no_proxy
192.168.1.1,.localdomain
[root@system1 ~]# curl -vvv https://google.bg
* About to connect() to proxy 192.168.1.1 port 3129 (#0)
*   Trying 192.168.1.1...
* Connected to 192.168.1.1 (192.168.1.1) port 3129 (#0)
* Establish HTTP proxy tunnel to google.bg:443
> CONNECT google.bg:443 HTTP/1.1
> Host: google.bg:443
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
* Proxy CONNECT aborted
* Connection #0 to host 192.168.1.1 left intact
curl: (56) Proxy CONNECT aborted
[root@system1 ~]# ncat -z -v 192.168.1.1 3129
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.1.1:3129.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.


Any hints appreciated.
Title: Re: Cannot setup https proxy
Post by: hunter86_bg on September 13, 2020, 09:00:28 PM
I guess the whole idea had a flaw.
So far here is what is working for me:
1. LAN clients are not allowed outside (default deny rule to block and no allow rule for LAN clients)
2. Setup the transparent proxy as per documentation
3. In the forwarding rules , I have defined a source to be an alias - so it won't affected all clients in the network
4. CA is imported on the test system (chromeos) but no proxy settings defined
5. Accessing ssl/tls-enabled sites shows that the website cert is signed by the CA from step 4

Text only | Text with Images