Hello there!
i im trying to configure the squid web proxy to achieve the following goals:
- Transparent proxy (Gateway on the Clients is set to the opnesense ip)
- Block everything by default (HTTPS/HTTP)
- Allow specific domains only (HTTPS/HTTP)
I managed to configure the system
- "Enable Transparent HTTP proxy" -> true
- "Enable SSL inspection" -> true
- "Log SNI Information only" -> true
- "Ca to use" -> created and imported on th eclients
- "SSL no bump sites" currently empty
- NAT Rules to the proxy are created
- ACL: "Whitelist" contains only "nuget.org"
- ACL: "Blacklist" contains ".*" to block everything
The Problem:
If i open https://nuget.org i will get the message:
"The following error was encountered while trying to retrieve the URL: https://172.183.192.203/* Access Denied."
I do not understand why it would ?redirect? to the ip instead the hostname?
If i remove the ".*" from the blacklist it works.
What am i doing wrong? Is there another better way?
Thanks!
Benjamin
No one? :)
You can do the same way simpler and lightweight with dnsmasq as alternative:
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
Thanks @Monviech
This would still allow connections to IP adresses i guess?
It depends on the firewall rules you create for the alias.
ok. Just to be clear: What we want to achieve is not possible using the web proxy feature?
What you want is most likely possible with a web proxy, but at a much higher performance and complexity cost.
The simplest would be a DNS filter (Unbound) or a Firewall Rule based filter (Dnsmasq).
Just giving alternatives, I am not a pro at squid so I cannot help with it much.
I appreciate your advice :)
Hi Cedrik,
I very agree Proxy leads to higher performance and complexity cost. Plus unnecessary SSL inspection and Self-signed cert -even when it is not really necessary due to nobump.
Or, if Proxy without transparent mode - need to install proxies on all clients, not so desirable.
So, I tried UnboundService. Sounds good - unboundService now has wildcards and regex in its Whitelist.
But I can't get this whitelist to work. In the Forums I see others cannot either.
DnsMask I did not try yet. Not desirable to get problems, if one day I would need Whitelist plus some kind of Blacklist together.
So, seeing the disadvantages of other solutions, for me it seems the old solution with regex expressions (similar as in pfsense up to now) was not so bad.
The reasoning point to dispose regex expressions "Can no longer use regex in firewall" was "users are not familiar with regex". But, for most cases a good list of examples would do.
For me, the whitelist use case is an important use case for opnsense. This mostly requires WindowsUpdate must be allowed/whitelisted.
But as there is no way to get WindowsUpdate work without wildcards,
opnsense really needs a good solution for this important use case.
Would generally make better picture for new customers, newbees like me.
Can somebody show a good solution really working without problems? Or would it be better to return to regex wildcards, maybe as an after-final patch for 25.7.11?
If 26 brings up a good solution - ok too.