OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: manjeet on November 05, 2018, 06:50:44 am

Title: Transparent Proxy With No SSL or WPAD
Post by: manjeet on November 05, 2018, 06:50:44 am

Hey Guys, I have OPNsense configured as gateway in my 50 users network. I want to use Cache server only and only for Linux and Windows update, No web filter (HTTP or HTTPS). Is there any way i can do it without SSL inspection in transparent mode. I do not want to break authenticity of packet due to SSL MITM.

Many users take laptops to home so can not configure proxy explicit. I am not able to setup WPAD so if any one has very stright forward settings guide for WPAD, i will be greatful. I have one Internal network (LAN) and one OpenVPN setup for 10 users.

Also i have opnsense configured on different ports for login of HTTPS and SSH.

Title: Re: Transparent Proxy With No SSL or WPAD
Post by: mimugmail on November 05, 2018, 07:47:01 am

Fabian wrote a howto.
Please read from start to end before you start confguring .. then you'll understand the logic behind:

https://github.com/opnsense/docs/blob/master/source/manual/how-tos/pac.rst

Title: Re: Transparent Proxy With No SSL or WPAD
Post by: manjeet on November 05, 2018, 10:10:42 am

I have already followed this tutorial, I don't know what i am doing wrong but it doesn't work for me. I have created the rules as per steps as in guide. Enabled all options one by one for auto discovery and even enabled all 4 of them but nothing works.

Are these rules default for any basic network or just the reference. My opnsense is my DHCP, Secondary DNS. I checked it by using single dns i.e. opnsense as primary dns. nothing works..

Title: Re: Transparent Proxy With No SSL or WPAD
Post by: mimugmail on November 05, 2018, 10:59:19 am

And your clients are actively searching for wpad.yourdomain.com?

Title: Re: Transparent Proxy With No SSL or WPAD
Post by: manjeet on November 17, 2018, 11:25:16 am

Yes, they are. I mean i have enabled the "Auto detect proxy" in web browser. Do i need to add it somewhere else in OS.

Title: Re: Transparent Proxy With No SSL or WPAD
Post by: mimugmail on November 17, 2018, 11:34:14 am

Can you do a tcpdump on your lan and check if wpad works in general? (dns resolution, query the webserver for PAC etc.)

Title: Re: Transparent Proxy With No SSL or WPAD
Post by: hbc on November 30, 2018, 05:18:20 pm

Hi,

Quote

Also i have opnsense configured on different ports for login of HTTPS and SSH

wpad via DNS expects the wpad.dat to be found via http - means on port 80 (See note on: https://docs.microsoft.com/en-us/previous-versions/tn-archive/ee658143(v=technet.10) (https://docs.microsoft.com/en-us/previous-versions/tn-archive/ee658143(v=technet.10))). If you disabled opnsense login on port 80 or configured a different port, the builtin webserver will not listen on port 80 any more and thus the wpad.dat cannot be delivered.

You can either use dhcp option 252 (Enable Web Proxy Auto Discovery in dhcp options) which will create an additional dhcp entry with an url that points to your configured port or setup a local webserver on port 80 (that is what I did).

The webserver on port 80 is the better solution, since not all clients use dhcp option 252.

I used this tutorial https://wiki.opnsense.org/manual/how-tos/nginx_hosting.html (https://wiki.opnsense.org/manual/how-tos/nginx_hosting.html) to set up nginx on port 80 and made a symbolic link to /usr/local/www/wpad.dat

Thus you can use the gui frontend to edit the wpad.dat file, the file is accessible via port 80 to clients and the login page can be resricted to the admin ip.

IMHO a perfect solution  :)