OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: isoellias on June 26, 2019, 07:56:01 pm

Title: Filtering without ssl inspection?
Post by: isoellias on June 26, 2019, 07:56:01 pm: Hello,
I need some tips to solve a problem.

I want to exit PFSense and go to OPNSense
But I have the following difficulty:

I want to configure the proxy with external content filter, so far so good!
I would like OPNSense to perform the inspection of the HTTP cache filter, however, only executes the https filter (without cache and inspection) in transparent mode.

PFSense does it! Is it possible in OPNSense?

Thankful!
Title: Re: Filtering without ssl inspection?
Post by: ruggerio on September 03, 2019, 12:37:26 pm: hi,

I am not 100% sure, if i understood you. You want http inspected, but https only filtered based on e.g. urls/headers?

For filtering, see manual here: https://docs.opnsense.org/manual/how-tos/proxywebfilter.html

If you don't want the proxy to ssl intercept all traffic, but filter based on url, check also https://docs.opnsense.org/manual/how-tos/cachingproxy.html

When enabling SSL, also enable SNI-Verification. In that case, squid would filter the url's also in https. But squid would not "read" the encrypted traffic.
Title: Re: Filtering without ssl inspection?
Post by: isoellias on September 27, 2019, 04:03:19 pm: Hello Friend,
Sorry if my English is not clear.
That's right, but in transparent mode.
See my scenario:

In my case, the gateway is the network "firewall/proxy" itself, so I use transparent mode.

1st CASE:
I have several types of devices on the internal network. PCs, MACs, SmartPhones. And within each of these, applications that do not support redirecting to the proxy. So transparent mode is the output.

2nd CASE:
When I enable transparent mode, I have another problem, if I have ssl inspection, I must install certificate on every device on the network (HORRIBLE).

So,
HTTP -> caching, antivirus, etc ... Works well over transparent mode;
HTTPS -> so that there is no certificate installation, use SNI;

Server Name Indication (SNI)
Would SNI work for this scenario?
(Traffic https (filtered over header) on transparent mode and without having to install certificate on client)?

The references you submitted above do not tell you where to live SNI.

Obrigado.
Title: Re: Filtering without ssl inspection?
Post by: axiom9 on January 09, 2020, 06:41:30 pm: Hello,

I have been looking for this option too in OPNsense! That is the only reason why I stay with pfSense.. All I have to do in pfSense to get this working is to select Splice All in SSL/MITM Mode in squid configuration. With that option, filtering of ssl site will not require to install a cert on all clients on network..

I wish this was implemented in OPNsense. I know, OPNsense do not use squidguard and don't exactly work the same way for filtering url.. I just wish I could do the same thing.
Title: Re: Filtering without ssl inspection?
Post by: fabian on January 10, 2020, 06:39:03 am: You can, but the option has a silly name but it is also on the TLS page. As far as I can remember it is called 'Log SNI information only'
Title: Re: Filtering without ssl inspection?
Post by: hbc on January 14, 2020, 10:28:37 am: Quote from: axiom9 on January 09, 2020, 06:41:30 pm
I wish this was implemented in OPNsense. I know, OPNsense do not use squidguard and don't exactly work the same way for filtering url.. I just wish I could do the same thing.

Like fabian already mentioned, turn on "Log SNI information only" and configure your dynamic blacklists under remote blacklists. Then your blacklists are automatically updated and checked against the hostname when SNI header is present.

There will be two log entries per DENY because of transparent interception:

TCP_DENIED/403 3798 CONNECT blacklisted-host.org NONE/000 0 NONE error:transaction-end-before-headers
Title: Re: Filtering without ssl inspection?
Post by: ArminF on February 10, 2020, 11:16:02 am: Happy i found this thread..

Had to route 3129 via NAT and FW Rule
Had to create a local CA

Used options
Enable Transparent HTTP proxy
Enable SSL inspection
Log SNI information only (No Cert installation on clients just URL scan)

Worked!!

Thank you very much
A
Title: Re: Filtering without ssl inspection?
Post by: riq on May 11, 2020, 07:44:11 pm: Hey everyone!

I have trouble getting our transparent proxy to work. Even though I have enabled "Log SNI information only", the clients (mobile devices and verious browsers) come up with certificate errors when accessing https websites. In my test setup on virtual machines it is working perfectly, but in the live environment I constantly run into this issue.

I have no idea what is going on...

Help!

Riq
Title: Re: Filtering without ssl inspection?
Post by: ArminF on May 11, 2020, 09:45:57 pm: Maybe check if you did setup a CA even when you don't use it.
Seems to be mandatory to be selected on the SSL option.

At home i switched to DNS Crypt as it provides Blocklists on DNS based answers.
Uses much less resources on the box.
Title: Re: Filtering without ssl inspection?
Post by: riq on May 11, 2020, 09:57:09 pm: Thanks for the input.

I have tried both, with and without CAs... Same result :(
Title: Re: Filtering without ssl inspection?
Post by: ArminF on May 11, 2020, 10:02:25 pm: ehm... did you reroute the ports to the localhost for SSL as well?

3129 as far i remember. 3128 is for HTTP.

https://docs.opnsense.org/manual/how-tos/proxytransparent.html
Title: Re: Filtering without ssl inspection?
Post by: riq on May 11, 2020, 10:23:00 pm: Of course ;) I set up portforwarding for http and https...

Http works like a charm but for some reason SNI option doesn't for https.

I will post log files tomorrow.

Edit: came to work this morning, activated NAT portforwarding again (pure curiosity) and it worked instantly... Sometimes you should just go home, have a beer or two, go to sleep and next day problems are gone :D