Hello there!
i im trying to configure the squid web proxy to achieve the following goals:
- Transparent proxy (Gateway on the Clients is set to the opnesense ip)
- Block everything by default (HTTPS/HTTP)
- Allow specific domains only (HTTPS/HTTP)
I managed to configure the system
- "Enable Transparent HTTP proxy" -> true
- "Enable SSL inspection" -> true
- "Log SNI Information only" -> true
- "Ca to use" -> created and imported on th eclients
- "SSL no bump sites" currently empty
- NAT Rules to the proxy are created
- ACL: "Whitelist" contains only "nuget.org"
- ACL: "Blacklist" contains ".*" to block everything
The Problem:
If i open https://nuget.org i will get the message:
"The following error was encountered while trying to retrieve the URL: https://172.183.192.203/* Access Denied."
I do not understand why it would ?redirect? to the ip instead the hostname?
If i remove the ".*" from the blacklist it works.
What am i doing wrong? Is there another better way?
Thanks!
Benjamin
No one? :)
You can do the same way simpler and lightweight with dnsmasq as alternative:
https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset
Thanks @Monviech
This would still allow connections to IP adresses i guess?
It depends on the firewall rules you create for the alias.
ok. Just to be clear: What we want to achieve is not possible using the web proxy feature?
What you want is most likely possible with a web proxy, but at a much higher performance and complexity cost.
The simplest would be a DNS filter (Unbound) or a Firewall Rule based filter (Dnsmasq).
Just giving alternatives, I am not a pro at squid so I cannot help with it much.
I appreciate your advice :)