OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: emilio.b on June 28, 2016, 04:41:32 pm

Title: Transparent proxy - bypass for some LAN IPs
Post by: emilio.b on June 28, 2016, 04:41:32 pm
Hello all
i've setup a transparent proxy with both HTTP and SSL and all seems ok there.
Then i've put some domains in the 'SSL no bump sites' in order for these sites being passed trought the proxy.

Now i have a monitoring host (nagios) in my LAN which talks to many external (monitored) hosts on the standard 443 port. I would like to just add the nagios's IP address in a way that the proxy just leave this IP untouched, instead to add a very long list of external IPs in the 'SSL no bump sites' list.

Is it possible?

If so where are the settings in the web gui?

I've already tried out some settings in the Forward proxy > ACL but that settings (Unrestricted IP addresses) seems to just have to do with IP addresses (as stated by label) and nothing on the SSL side.


TIA

emilio
Title: Re: Transparent proxy - bypass for some LAN IPs
Post by: Julien on June 30, 2016, 10:42:19 am
go to proxy server , forward proxy , access control list. unrestricted ip addresses.
Title: Re: Transparent proxy - bypass for some LAN IPs
Post by: emilio.b on June 30, 2016, 11:03:48 am
thanks jamerson,
i've already tried that (see original post).

anyway i re-tried what you've suggested to double-check.
unfortunately this didn't do the trick and even if i put the LAN IP of my nagios host in the unrestricted IP, i've got this error trying connecting to the destination host:

The following error was encountered while trying to retrieve the URL: https://idrac/*

Failed to establish a secure connection to xxx.xxx.xxx.xxx

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
Self-signed SSL Certificate: /C=US/ST=Texas/L=Round Rock/O=Dell Inc./OU=Remote Access Group/CN=idrac/emailAddress=support@dell.com

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is admin@localhost.local.

what i need is a way to bypass SSL bumping (not proxy) for a given host(s) on my network.

TIA

emilio
Title: Re: Transparent proxy - bypass for some LAN IPs
Post by: Julien on June 30, 2016, 11:08:25 am
just curious, have you configured the local cash ? and SSL transparant for the proxy ?
i've noticed you have always to restart the proxy services after making some changes.

i am using the software for two days now. and i love it so far.
Title: Re: Transparent proxy - bypass for some LAN IPs
Post by: emilio.b on June 30, 2016, 06:06:02 pm
thanks for your answer,
yes i've configured both HTTP and HTTPS for transparent proxy.

i've also tried out to stop and restart the proxy service to no avail in my case.

emilio
Title: Re: Transparent proxy - bypass for some LAN IPs
Post by: Julien on June 30, 2016, 06:23:47 pm
as I see you did not create a certificate for the proxy, you are using the only self signed one.
are you sure you've configured it according to the documentation with the ssl https ssl ?
Title: Re: Transparent proxy - bypass for some LAN IPs
Post by: emilio.b on July 01, 2016, 09:25:37 am
hello jamerson,
yes i've configured a self signed cert for the proxy according to man pages.

then i've imported the cert in the browsers i've usually need to surf the internet and in the OS for some additional apps.
So if i'm not wrong, i should import the same cert in the nagios machine in order to get the correct behaviour.

What i don't understand here is why the Unrestricted IP address seems not to work, or maybe it is not the correct field in my specific case to fill up.

TIA

emilio

Title: Re: Transparent proxy - bypass for some LAN IPs
Post by: Julien on July 01, 2016, 05:24:53 pm
hi Emilio,
I am using the device now for over 3 days , and have configured it the proxy and also the unrestricted IP and even I use the domain name of the machine and it works fine.
I am sure you misstep some configuration.
Title: Re: Transparent proxy - bypass for some LAN IPs
Post by: emilio.b on July 04, 2016, 02:42:53 pm
thank you jamerson for your time.

i've double checked all setting and attached some screenshots.

If the Unrestricted IP means that ALL traffic from origin to destination is left untouched from the transparent proxy, including SSL bumping, then probably i have some  strange behaviour here because it works for some IPs while for others not at all.

I try to sketch-up the whole thing with trasparent proxy + SSL proxy:

nagios (LAN) check host1 on port 4444 > opnsense > WAN > monitored host1 (https port 4444) THIS IS OK
nagios (LAN) check host2 on port 443 > opnsense > WAN > monitored host2 (https port 443) THIS IS BLOCKED

The block error (from proxy) is the one i've already pasted in previous message.

TIA

emilio


Title: Re: Transparent proxy - bypass for some LAN IPs
Post by: fabian on July 06, 2016, 09:01:00 am
Hi emilio,

can you add this host also to the "SSL no bump sites" as this looks like the ssl handshake fails.
Can you then connect to it and open it with a browser and check which cryptographic algorithms are used?
Title: Re: Transparent proxy - bypass for some LAN IPs
Post by: emilio.b on July 06, 2016, 06:52:47 pm
hello Fabian,
unfortunately this doesn't solve the problem.

as i said, the strange thing is that the https/SSL connections from the nagios host to other external hosts on ports other than 443 (ie port 444) works as aspected.

So i've made a little experiment here with the Allowed destination ports (proxy ACL advanced settings).
Please review the attached screenshots: _3 and _4.

Removed the default 443:https port and place the 444:https port instead.
In this condition the nagios connection on port 443 fails but now with the Acces denied message (as espected i think), while nagios connection on port 444 works OK.

Than removed all 444:https settings from both TCP and SSL ACL's proxy fields and leave it blank without the default 443 settings.
In this condition the nagios host has THE SAME behaviour as above, with failed 443 connections and working 444 connections even if there are no apparent settings that permit such thing.

It seems to me that there is some hardcoded parameter over there or maybe i need some more help...

TIA

emilio