OPNsense Forum

English Forums => General Discussion => Topic started by: pr3p on February 09, 2017, 08:12:44 am

Title: OPNSense - Web Proxy ( Enable SSL mode Problem)
Post by: pr3p on February 09, 2017, 08:12:44 am
Hi enabled web proxy services on opnsense, everything is working fine, but when i enabled Enable SSL mode i cant browse https website, any idea? i already set rules on firewall


Reference:
https://docs.opnsense.org/manual/how-tos/proxytransparent.html


Regards,
pr3p
Title: Re: OPNSense - Web Proxy ( Enable SSL mode Problem)
Post by: fabian on February 09, 2017, 05:47:47 pm
missing certificate, squid not restarted or wrong port?
Title: Re: OPNSense - Web Proxy ( Enable SSL mode Problem)
Post by: pr3p on February 10, 2017, 02:08:29 am
missing certificate, squid not restarted or wrong port?


I already setup certificate and port is correct as the default port for proxy set on firewall.
(http://image.prntscr.com/image/ac7eb1729c484540adad408ea9c1838c.png)

(http://image.prntscr.com/image/13e990e94e364c80a420dd49d64dacc9.png)

(http://image.prntscr.com/image/a6aaf6c228c94085b375660b9b61645a.png)


Proxy is working fine with http only https, but when i set or configure browser to use proxy server both are working fine, is there any way to work proxy ssl enabled without setting on client side such as laptop, mobiles and etc


Regards,
pr3p
Title: Re: OPNSense - Web Proxy ( Enable SSL mode Problem)
Post by: fabian on February 10, 2017, 05:42:14 am
SSL mode is not enabled
Title: Re: OPNSense - Web Proxy ( Enable SSL mode Problem)
Post by: pr3p on February 10, 2017, 12:10:50 pm
SSL mode is not enabled

oh sorry i just temporary disabled now i cant access forum and other website, but when its enable still not working. its only work when i set proxy on my browser
Title: Re: OPNSense - Web Proxy ( Enable SSL mode Problem)
Post by: franco on February 10, 2017, 12:16:14 pm
Did you also select the CA certificate in the proxy settings?


Cheers,
Franco
Title: Re: OPNSense - Web Proxy ( Enable SSL mode Problem)
Post by: pr3p on February 10, 2017, 01:23:47 pm
Did you also select the CA certificate in the proxy settings?


Cheers,
Franco

@franco yes its the CA Certificate is enabled and selected,

Question: is there anyway to use proxy with ssl enabled w/o configuring any browser setting to use proxy?
Title: Re: OPNSense - Web Proxy ( Enable SSL mode Problem)
Post by: fabian on February 11, 2017, 09:54:11 pm
Yes, OPNsense supports configuring a transparent squid proxy for HTTPS, but you have to configure the clients anyway (installing the root certificate), if you are not only configuring it for domain filtering only.

You need to enable SSL mode with a root certificate, which is trusted by your clients.

At least in Firefox you will have to import your root certificate. Many other applications are affected too and some use certificate pinning. This are the apps you will have to whitelist because otherwise they won't work.
Title: Re: OPNSense - Web Proxy ( Enable SSL mode Problem)
Post by: pr3p on February 12, 2017, 09:31:25 am
Yes, OPNsense supports configuring a transparent squid proxy for HTTPS, but you have to configure the clients anyway (installing the root certificate), if you are not only configuring it for domain filtering only.

You need to enable SSL mode with a root certificate, which is trusted by your clients.

At least in Firefox you will have to import your root certificate. Many other applications are affected too and some use certificate pinning. This are the apps you will have to whitelist because otherwise they won't work.

@fabian thanks for the info, yes i tested to it with cert imported to all browsers and so far i have no problem with it, since we don't have access on personal devices of our staff and students we cant import those cert manually. is there any other way?
Title: Re: OPNSense - Web Proxy ( Enable SSL mode Problem)
Post by: fabian on February 12, 2017, 11:18:01 am
@fabian thanks for the info, yes i tested to it with cert imported to all browsers and so far i have no problem with it, since we don't have access on personal devices of our staff and students we cant import those cert manually. is there any other way?

Why not put it on a network share which is read only and everyone can access it to download the certificate and install it if needed. I would suggest FTP or HTTP for that. You will have to document where the certificate can be downloaded.