Update1: added URL Regex & destination IP
Hey folks,
I configured the Webproxy with a ParentProxy and I'm here to share my experiences with that.
The WebGui does not have an option to define a ParentProxy, so we need to dig deeper:
First of all, there are two directorys:
/usr/local/etc/squid/pre-auth
/usr/local/etc/squid/post-auth
Here I'm using the pre-auth folder. In that folder you need to create a file with .conf ending. Without that file ending the Proxy won't use the config.
I created a file namend ParentProxy.conf ; everything with qoutes needs to be set properly and without the quotes:
# cache_peer: here we set the ParentProxy as URL or IP
cache_peer "ExamplePeer" parent 8080 0 no-query default
#acl for destinationdomains to use our ParentProxy
# the point before the URL means, that every subdomain will also be sent to the ParentProxy
acl "NameOfACLdomain" dstdomain .com .org .local host1.any.domain
#ACL IP List
acl "NameOfACLIP" dst 10.193.100.5
#ACL urlregex
acl "NameOfACLregex" url_regex server1 http://server2.dings
#Now we define the Access, change the "ExamplePeer" to whatever you named your ParentProxy cache_peer
# the first line says: every URL in the defined ACL is going to the ParentProxy
# second line: everything else (not listed in ACL) will not go to the ParentProxy
cache_peer_access "ExamplePeer" allow "NameOfACLdomain"
cache_peer_access "ExamplePeer" allow "NameOfACLIP"
cache_peer_access "ExamplePeer" allow "NameOfACLregex"
cache_peer_access "ExamplePeer" deny !"NameOfACLdomain"
cache_peer_access "ExamplePeer" deny !"NameOfACLIP"
cache_peer_access "ExamplePeer" deny !"NameOfACLregex"
# I'm not sure if that is really needed:
# Here you can define which Domains should not go to the ParentProxy (I choosed our internal Domain)
cache_peer_domain !.internal.domain
#we need to use the never_direct allow directive:
never_direct allow "NameOfACLdomain"
never_direct allow "NameOfACLIP"
never_direct allow "NameOfACLregex"
Maybe that helps configuring a ParentProxy
AC
Hi AC,
Thank you for this. I've made it sticky in this forum. There was a question about this once or twice. If enough people want this, we can talk about integrating it into the GUI in a reasonable way. :)
Cheers,
Franco
@franco - I may need that some day to route *.onion to the Tor plugin however this is very low priority.
Hey franco,
that's why i wrote it down here in easy. I read the other threads about that and instructions weren't that clear. ;)
Hi all,
Quote from: franco on January 04, 2018, 09:55:32 PM
... If enough people want this...
want it ;)
cheers till
And so the next step is.... a GitHub ticket :)
Cheers,
Franco
I made a ticket - my first Githubticket ever - hope that's correct that way.
https://github.com/opnsense/core/issues/2068
Looks good, thank you. I've tagged it "help wanted" for now, let's see if anyone takes the bait. :)
Cheers,
Franco
I dont see a reason for putting it preauth. Shouldnt it be after autentication?
@mimugmail
No the network options always come first.
I always look that after parsing at OPNsense this sequence remains: yes, ancient :)
http://www.squid-cache.org/mail-archive/squid-users/200203/att-0514/squid.confIn the FAQ, there is little information but this is probably important here:
QuoteOnly ONE proxy cache in a chain is allowed to "use" the proxy authentication...
https://wiki.squid-cache.org/SquidFaq/SquidAcl#Proxy-authentication_and_neighbor_caches
Here are some old links:
https://forum.opnsense.org/index.php?topic=3345.0https://forum.opnsense.org/index.php?topic=3833.0cheers till
I did some templating which generates this, but it doesn't seem to work (does not use parent)
Any idea why?
root@OPNsense:~/core # cat /usr/local/etc/squid/pre-auth/parentproxy.conf
cache_peer 10.24.66.3 parent 8080 0 no-query default
acl ExcludePPDomains dstdomain test.de bla.de
acl ExcludePPIPs dst 1.1.1.1 2.2.2.2
cache_peer_access 10.24.66.3 deny ExcludePPDomains
cache_peer_access 10.24.66.3 deny ExcludePPIPs
cache_peer_access 10.24.66.3 allow all
never_direct allow ExcludePPDomains
never_direct allow ExcludePPIPs
never_direct deny all
OK, fixed it, now it's open for review
Bad news: this topic is no longer sticky.
Good news: parent proxy feature is available in OPNsense since 19.1.
:)