OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: SteNub on March 23, 2021, 12:00:13 pm

Title: SSL Bump Client exception
Post by: SteNub on March 23, 2021, 12:00:13 pm
Hello everybody,

i have managed to get some clients ssl bumped and some others not.
Unfortunately i only got it to work via modifying the squid.conf at the ssl_bump part:

Code: [Select]

# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
acl bump_nobumpclients src "/usr/local/etc/squid/nobumpclients.acl"

# configure bump
ssl_bump splice bump_nobumpclients
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3


Now i can enter single IPs or IP ranges in the nobumpclients.acl file and everything works as expected! :-)

My question is: Can this be achived in the custom conf folders, too? (pre-auth, auth, post-auth)? I tried but it seems my entries are ignored? Maybe this small addon is worth a commit to the official repo?
Via GUI it would be possible to create the nobumpclients entries in the correspondig file, analogous to the nobumpsites.

Any hints?

Thank You!
Stefan
Title: Re: SSL Bump Client exception
Post by: mscd on July 04, 2021, 11:08:07 am
Hello Stefan,

I am woking on the same problem … I would like to do SNI-inspection (with category filtering) for all clients … but true SSL-inspection only for specific subnets. Did you get that working (by use of include-folders)?

Best regards,
mscd
Title: Re: SSL Bump Client exception
Post by: mimugmail on August 30, 2021, 04:10:18 pm
I'll add it to the GUI :)
Title: Re: SSL Bump Client exception
Post by: mimugmail on August 30, 2021, 04:15:49 pm
https://www.routerperformance.net/opnsense/plugin-development/

Here new checkbox
https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml

Here also
https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml

New file like this:
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl

And add it here:
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/%2BTARGETS

And here should be also the stuff from you above:
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/squid.conf