OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: stewconsult on September 15, 2016, 10:20:55 pm

Title: SSL/HTTPS Transparent Proxy
Post by: stewconsult on September 15, 2016, 10:20:55 pm
I am on newest opnsense ver 16.7.3 and am a newbie. Transparent proxy is setup for HTTP but not yet for HTTPS due to all the warnings about man in the middle. I would like to do HTTPS proxy filtering with transparent but have questions...
1. Will all browsers give cert errors until I give them a cert to install? What if I buy a cert through a trusted public CA?
2. If I enable the "SSL Domain/IP only" setting under the general forward proxy settings, will the certificates still be required for access? I understand no filtering will be done here, so maybe no need  for certs?
Title: Re: SSL/HTTPS Transparent Proxy
Post by: jschellevis on September 16, 2016, 09:02:34 am
Well you already found the two options.

If you go for the standard option as descibed in the docs, then the proxy will get the page content and sign it with its own certificate. This will always generate an alert on the browser as the certificate is not valid for the domain in question. (unless you import the certificate into your system/browser).

As for getting a cert, you would need a root signing certificate. With a root signing certificate, you essentially become your own certificate authority and you can issue certificates that are trusted by browsers/clients. This is not possible as that would undermine the security of the internet if everyone could get such a cert. Only certified organisations have such a siging cert. In short, not an option.

If you only want to use the ACL's for filtering IP's and domains then you can go for the second options and enable "SSL Domain/IP only". This way the ssl connect can be blocked so your browser is not able to establish a connection to those domains or IP's. However with this option the proxy is not aware of the content of the web data/page so it can't block based on the full urls.. it simply doesn't know what you are requesting only the ip or domain.

Simply put you can block www.cnn.com but you can't block https://www.cnn.com/test.html or anything on that page such as mypicture.jpg

Title: Re: SSL/HTTPS Transparent Proxy
Post by: Reiter der OPNsense on September 16, 2016, 12:41:14 pm
I tried to use "SSL Domain/IP only", but it does not work for me. See the error logs in this thread:
https://forum.opnsense.org/index.php?topic=3644.0 (https://forum.opnsense.org/index.php?topic=3644.0)

I suspect it has to do with a squid security feature, mentioned here:
http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery (http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery)
but I do not know how I can solve the problem.

Any ideas or tips for me?
Title: Re: SSL/HTTPS Transparent Proxy
Post by: jschellevis on September 16, 2016, 01:40:53 pm
The issue is  related to the fact that the proxy checks if the ip or the requested domain is the same as the browser requested. For this it does a lookup, however the lookup that the browser did may not match the one that the proxy performed. This can happen when a domain has multiple ips (a farm).

Not sure if there is anything definitive that can be done here, but I think you can minimize the impact by making sure you use the same DNS all the time. (that is client and firewall/proxy)