OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: ChrisFredriksson on June 24, 2017, 11:03:13 am

Title: Proxy questions, Web Filter, AV, Blocking Ads
Post by: ChrisFredriksson on June 24, 2017, 11:03:13 am
Hey everyone,

Just having a go for the first time with OPNsense. I've had a pfSense system running for the last 6 years and haven't really had a try on OPNsense until now.

So, first off.. I can't find uPNP anywhere under services or anywhere else, am I missing something?

Second, I'm wondering about the proxy setup. Obviously I want our system as secure as possible. With "our system" I'm talking about a home network with about 15-20 devices connected at once.

The reason for looking into the proxy part is mostly curiosity, because it feels like when I've seen videos and read about it that it could be quite handy, in terms of blocking ads. If I could also use an AV solution which could partly help with viruses, ransomware and similar coming from the outside, that would be even more great. Of course, I know that it doesn't replace a good AV solution on a computer, but every extra we can add is of course always positive.

So, I've been reading on the docs.opnsense.org site under Caching proxy.

First, I can see that its a caching proxy, no idea if I really need the caching part. But ok.

Then it can support ICAP for AV/Malware, Blacklists and Category Based Web Filtering. All perfect!

I'm not so interested in configuring all my devices to go through the proxy, so I'm more looking into the transparent mode as all devices go through it automatically then instead.

However, it says that a transparent proxy for https traffic could be dangerous. I'm sort of understanding the concept behind that when I read more under "Setup transparent mode (Including SSL)".

The idea is to add all sites I visit that currently are running HTTPS traffic, such as my bank and similar. Alright, I guess I could do that, but it could become quite a comprehensive list.

What if I miss a site? Would the site just complain that the SSL certificate is invalid, or will it somehow block the connection?

I'm wondering.. Could I run a transparent mode proxy without the SSL part and just using it on regular HTTP traffic? The reason for asking is mostly because of the AD blocking part, most sites that have ADs are running on HTTP and not HTTPS.

However, the AD blocking could be used on for example Youtube as well, am I right? That site is using HTTPS though, so if I don't enable the caching proxy on HTTPS, then Youtube wouldn't be affected.

So I guess I'm back at perhaps adding the "No SSL Bump" for the sites I really want HTTPS to work with and not block the ADs on those sites. Of course, my bank doesn't have ADs on their site anyway, but yeah..

Also, at the bottom of the Transparent Proxy page it says I still need to add the CA to all browsers. So I'm looking to either configure proxy on all devices or add a CA to all devices.

Can't I use the caching proxy just for blocking ADs on all sites and perhaps use ICAP for AV and Malware?

Finally, what do you guys think? Should I really go with caching proxy? As it says on a note on the Transparent Proxy page, "If you're not sure what to add, please reconsider using transparent SSL as its clearly not intended for you!"

For my defense, I can work my way around both pfSense and OPNsense, not as the pros, but I know much of it at least. I've just not used the caching proxy part previously and I thought it would be fun to learn this as well, but to learn it I should do it right the first way around.

That's why I need you guys!

Hope to hear from you guys soon, my head is spinning around in 60 miles per hour! ;)
Thanks in advance!
Title: Re: Proxy questions, Web Filter, AV, Blocking Ads
Post by: fabian on June 24, 2017, 02:54:06 pm
TLS needs to be terminated for ICAP and URL filtering (otherwise only hostnames are possible). The problem with TLS interception is, that you need an internal CA which is trusted by your clients. So you need some configuration anyway. Another problem with TLS interception is, that your client only sees the proxy and not the certificate of the server to which it originally wanted to connect. Note that you don't need to have a proxy on the HTTPS port. HTTP only works too but if the proxy does not sit between the HTTPS server and the client, it cannot filter ads delivered by HTTPS.