OPNsense Forum

English Forums => General Discussion => Topic started by: nevotheless on November 20, 2019, 02:40:19 pm

Title: Update Issues behind a seperate proxy.
Post by: nevotheless on November 20, 2019, 02:40:19 pm

Howdy OPNsense Community.

I don't know if this is the right place to ask for such a question, but i'll just try.

Environment
We're evaluating a OPNsense Firewall at the Moment for a big Company which has multiple locations and each location kinda does their own thing. So far so bad.

We're inside a huge company intranet where we need to authenticate with a proxy if we want to go to the interwebs.

Issue Description
When trying to Update the OPNsense System through,

Code: [Select]

opnsense-update. It fails with An Error which is 407 Proxy Authentication required. I know for a fact, that the Environment Vars which the underlying libfetch respect, are properly set and in place. The issue here is, that libfetch doesn't handle the 407 and doesn't try to resend the CONNECT with an proper Proxy-Authentication Header.

What i tried so far
I tried, the usual troubleshooting to make sure it's not my fault  ;D

• Fetch with http works
• Fetch with https doesn't work
• Curl with http works
• Curl with https works

I don't want to just Change the repo url to http, which would work, because we have other repo's in place which would need https support anyway.

I also found a Issue Report on the FreeBSD Bugtracker, which seems to fit this exact issue: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220468 and it actually contains a patch, which unfortunately never got applied.

I know how to compile stuff usually, and i would've tried patching the library myself, but since it's so integrated into FreeBSD and has quite some 'internal' dependencies i don't really know how to just test and or build the fixed lib.

My hope was, that since OPNsense probably (hopefully) doesn't actually just use the upstream FreeBSD without changing anything there, that i could either get this patch integrated into OPNsense directly, since FreeBSD doesn't seem to care, (Issue created 2017) or eventually getting help from some knowledgeable people to build the library myself, without building the whole freebsd os.

Thanks for reading this far,
and have a great day.

Title: Re: Update Issues behind a seperate proxy.
Post by: franco on November 20, 2019, 03:57:38 pm

You can either set up proxy stuff in /usr/local/etc/pkg.conf by creating it or create a local rsync mirror of --let's say-- leaseweb:

https://mirror.leaseweb.com/

And change the external URL to an internal URL (system: firmware: settings: mirror, choose "(other)") where the rsync is going. This way you can also control which version is available for update internally... with the official mirrors it's always latest.


Cheers,
Franco

Title: Re: Update Issues behind a seperate proxy.
Post by: nevotheless on November 20, 2019, 04:10:49 pm

Thanks for the Answer,

since it's an issue with the fetchlib i'll probably go for the local mirror option, which sounds a bit more likely for us to handle than waiting for freebsd to apply the patch for the bug.

Thanks for the input anyways.

Title: Re: Update Issues behind a seperate proxy.
Post by: franco on November 20, 2019, 04:16:17 pm

Ah I see, the patch was never applied. This tends to happen and we already carry a few patches that we'd rather see in FreeBSD itself. :(

Though, TBH, the rsync is more robust in a number of ways.


Cheers,
Franco

Title: Re: Update Issues behind a seperate proxy.
Post by: nevotheless on November 21, 2019, 08:27:34 am

How much space would it require to mirror the opnsense repository for example?

Title: Re: Update Issues behind a seperate proxy.
Post by: franco on November 21, 2019, 03:33:31 pm

The full mirror is currently 63G, but that includes 3 years of old versions for both 32 and 64 bit builds.


Cheers,
Franco

Title: Re: Update Issues behind a seperate proxy.
Post by: nevotheless on November 22, 2019, 08:29:55 am

Thanks for the Info!