OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: samnet on August 21, 2020, 11:18:41 pm

Title: Transparent proxy with SSL
Post by: samnet on August 21, 2020, 11:18:41 pm
Dear All
I know this has been asked before but no one actually compared the transparent SSL mode that PFSense has where there is no need to add the CA in every client and can do transparent SSL with no extra install on each client.
How can we achieve this transparent SSL proxy without touching CA?
Title: Re: Transparent proxy with SSL
Post by: Fright on August 22, 2020, 07:38:06 am
Hi!
Can you please give more info about "transparent SSL mode that PFSense has where there is no need to add the CA in every client"?
Title: Re: Transparent proxy with SSL
Post by: siga75 on August 22, 2020, 12:12:26 pm
hmmmm how can you do transparent SSL proxy without using a CA for which you have the private key?
Title: Re: Transparent proxy with SSL
Post by: samnet on August 24, 2020, 10:59:00 pm
Hi!
Can you please give more info about "transparent SSL mode that PFSense has where there is no need to add the CA in every client"?

of course there is splice option which I cant find it in opnsense.
Title: Re: Transparent proxy with SSL
Post by: samnet on August 24, 2020, 10:59:53 pm
hmmmm how can you do transparent SSL proxy without using a CA for which you have the private key?
forget this method, I just want to control url access even via https
Title: Re: Transparent proxy with SSL
Post by: Fright on August 25, 2020, 06:32:13 am
of course there is splice option which I cant find it in opnsense.
ssl_bump is there
/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf:
..
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}
..

OPNsense.proxy.forward.sslurlonly is "Log SNI information only" flag in Forward Poxy GUI
Title: Re: Transparent proxy with SSL
Post by: Fright on August 25, 2020, 08:15:33 am
forget this method, I just want to control url access even via https
and no. you can  not view requested url (if you mean exactly full url) without mitm. only tcp info, tls hello and sni info (if any).
Title: Re: Transparent proxy with SSL
Post by: samnet on September 15, 2020, 10:54:49 pm
forget this method, I just want to control url access even via https
and no. you can  not view requested url (if you mean exactly full url) without mitm. only tcp info, tls hello and sni info (if any).
Im still not getting this right, do you mean its impossible to see full URLs without MITM?
is this a no go area at all?
I recall splice option in pfsense which used to slightly control https to some extend, is there a splice option in opnsense?
Title: Re: Transparent proxy with SSL
Post by: Fright on September 15, 2020, 11:16:21 pm
Quote
Im still not getting this right, do you mean its impossible to see full URLs without MITM?
no you can not view requested url (if you mean exactly full url) without mitm
Quote
is there a splice option in opnsense?
yes
see template 2 posts above
1st part for " Log SNI information only"  - splice
2nd - decode - bump
https://wiki.squid-cache.org/Features/SslPeekAndSplice

Title: Re: Transparent proxy with SSL
Post by: samnet on September 16, 2020, 08:17:03 am
thanks for clarification.
can you pls suggest any way for controlling URL access in a network with 100 desktops / laptops / mobiles many of them logging via Active Directory win2012

Title: Re: Transparent proxy with SSL
Post by: Fright on September 16, 2020, 08:35:36 am
its realy about company policy and client software requirements\restrictions imho
squid (transperent or via proxy settings via group policy or autoconfig) with or without kerberos auth with or without ssl-inspection (of course, if url control is needed, then ssl-inspection is required). all will work with pros and cons. it all depends on your imagination )
100 clients is not a big load. everything should work well
Title: Re: Transparent proxy with SSL
Post by: pmhausen on September 16, 2020, 10:28:08 am
thanks for clarification.
can you pls suggest any way for controlling URL access in a network with 100 desktops / laptops / mobiles many of them logging via Active Directory win2012
Get an AD integrated Proxy product, force proxy via group policy, deny Internet access for everyone but proxy on OPNsense.
Title: Re: Transparent proxy with SSL
Post by: fabian on September 17, 2020, 06:44:18 am


Get an AD integrated Proxy product, force proxy via group policy, deny Internet access for everyone but proxy on OPNsense.

Squid can handle Windows Login if needed.