OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: AC on January 03, 2018, 09:35:17 am

Title: Parent Proxy Opnsense
Post by: AC on January 03, 2018, 09:35:17 am

Update1: added URL Regex & destination IP

Hey folks,
I configured the Webproxy with a ParentProxy and I'm here to share my experiences with that.

The WebGui does not have an option to define a ParentProxy, so we need to dig deeper:

First of all, there are two directorys:
/usr/local/etc/squid/pre-auth
/usr/local/etc/squid/post-auth

Here I'm using the pre-auth folder. In that folder you need to create a file with .conf ending. Without that file ending the Proxy won't use the config.
I created a file namend ParentProxy.conf ; everything with qoutes needs to be set properly and without the quotes:

# cache_peer: here we set the ParentProxy as URL or IP
cache_peer "ExamplePeer" parent 8080 0 no-query default

#acl for destinationdomains to use our ParentProxy
# the point before the URL means, that every subdomain will also be sent to the ParentProxy
acl "NameOfACLdomain" dstdomain .com .org .local host1.any.domain
#ACL IP List
acl "NameOfACLIP" dst 10.193.100.5
#ACL urlregex
acl "NameOfACLregex" url_regex server1 http://server2.dings

#Now we define the Access, change the "ExamplePeer" to whatever you named your ParentProxy cache_peer
# the first line says: every URL in the defined ACL is going to the ParentProxy
# second line: everything else (not listed in ACL) will not go to the ParentProxy
cache_peer_access "ExamplePeer" allow "NameOfACLdomain"
cache_peer_access "ExamplePeer" allow "NameOfACLIP"
cache_peer_access "ExamplePeer" allow "NameOfACLregex"
cache_peer_access "ExamplePeer" deny !"NameOfACLdomain"
cache_peer_access "ExamplePeer" deny !"NameOfACLIP"
cache_peer_access "ExamplePeer" deny !"NameOfACLregex"

# I'm not sure if that is really needed:
# Here you can define which Domains should not go to the ParentProxy (I choosed our internal Domain)
cache_peer_domain !.internal.domain

#we need to use the never_direct allow directive:
never_direct allow "NameOfACLdomain"
never_direct allow "NameOfACLIP"
never_direct allow "NameOfACLregex"


Maybe that helps configuring a ParentProxy

AC

Title: Re: Parent Proxy Opnsense
Post by: franco on January 04, 2018, 09:55:32 pm

Hi AC,

Thank you for this. I've made it sticky in this forum. There was a question about this once or twice. If enough people want this, we can talk about integrating it into the GUI in a reasonable way. :)


Cheers,
Franco

Title: Re: Parent Proxy Opnsense
Post by: fabian on January 04, 2018, 10:06:08 pm

@franco - I may need that some day to route *.onion to the Tor plugin however this is very low priority.

Title: Re: Parent Proxy Opnsense
Post by: AC on January 05, 2018, 12:12:39 pm

Hey franco,

that's why i wrote it down here in easy. I read the other threads about that and instructions weren't that clear. ;)

Title: Re: Parent Proxy Opnsense
Post by: tillsense on January 05, 2018, 07:27:32 pm

Hi all,

Quote from: franco on January 04, 2018, 09:55:32 pm

... If enough people want this...

want it  ;)

cheers till

Title: Re: Parent Proxy Opnsense
Post by: franco on January 08, 2018, 08:05:06 am

And so the next step is.... a GitHub ticket :)


Cheers,
Franco

Title: Re: Parent Proxy Opnsense
Post by: AC on January 08, 2018, 11:41:46 am

I made a ticket - my first Githubticket ever - hope that's correct that way.

https://github.com/opnsense/core/issues/2068

Title: Re: Parent Proxy Opnsense
Post by: franco on January 08, 2018, 10:00:18 pm

Looks good, thank you. I've tagged it "help wanted" for now, let's see if anyone takes the bait. :)


Cheers,
Franco

Title: Re: Parent Proxy Opnsense
Post by: mimugmail on October 21, 2018, 12:32:48 pm

I dont see a reason for putting it preauth. Shouldnt it be after autentication?

Title: Re: Parent Proxy Opnsense
Post by: tillsense on December 01, 2018, 08:23:36 pm

@mimugmail
No the network options always come first.

I always look that after parsing at OPNsense this sequence remains: yes, ancient :)
http://www.squid-cache.org/mail-archive/squid-users/200203/att-0514/squid.conf

In the FAQ, there is little information but this is probably important here:

Quote

Only ONE proxy cache in a chain is allowed to "use" the proxy authentication...

https://wiki.squid-cache.org/SquidFaq/SquidAcl#Proxy-authentication_and_neighbor_caches


Here are some old links:
https://forum.opnsense.org/index.php?topic=3345.0
https://forum.opnsense.org/index.php?topic=3833.0

cheers till

Title: Re: Parent Proxy Opnsense
Post by: mimugmail on December 29, 2018, 08:48:45 pm

I did some templating which generates this, but it doesn't seem to work (does not use parent)
Any idea why?


root@OPNsense:~/core # cat /usr/local/etc/squid/pre-auth/parentproxy.conf
cache_peer 10.24.66.3 parent 8080 0 no-query default
acl ExcludePPDomains dstdomain test.de bla.de
acl ExcludePPIPs dst 1.1.1.1 2.2.2.2
cache_peer_access 10.24.66.3 deny ExcludePPDomains
cache_peer_access 10.24.66.3 deny ExcludePPIPs
cache_peer_access 10.24.66.3 allow all
never_direct allow ExcludePPDomains
never_direct allow ExcludePPIPs
never_direct deny all

Title: Re: Parent Proxy Opnsense
Post by: mimugmail on December 30, 2018, 08:28:51 am

OK, fixed it, now it's open for review

Title: Re: Parent Proxy Opnsense
Post by: franco on February 11, 2019, 08:47:31 am

Bad news: this topic is no longer sticky.

Good news: parent proxy feature is available in OPNsense since 19.1.


:)