OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: gothbert on February 17, 2018, 09:58:00 pm

Title: Transparent SSL Proxy and Letsencrypt Certificate
Post by: gothbert on February 17, 2018, 09:58:00 pm

Hi,

as more and more sites on the internet use HTTPS for delivering content, I would like to make Squid cache encrypted connections as well. I had this setup once but dropped it soon because I did not want to install the self-signed certificate on any PC, smartphone, ... in my local net.

I am now considering using this feature in combination with the os-acme-client and the os-haproxy plugins to facilitate the automatic retrieval of Letsencrypt certificates for the man-in-the-middle OPNSense box. This will be some work, particularly because my OPNSense box sits behinds the FritzBox which connects the LAN to the internet.

Thus, three questions, please, to check if I am on the right way:
1. Is this feasible at all? I have my own DynDNS service running and can assign an offical domain name to my internet facing IPv6 address assigned by my provider.
2. What needs to be said about the hostname of the OPNSense box in relation to the domain name for which the Letsencrypt certificate is issued?
3. Won't the browser still complain since the domain in the OPNSense box's certificate does not match the remote website's domain?

Kind regards
Boris

Title: Re: Transparent SSL Proxy and Letsencrypt Certificate
Post by: fabian on February 17, 2018, 11:21:30 pm

Quote from: gothbert on February 17, 2018, 09:58:00 pm

I am now considering using this feature in combination with the os-acme-client and the os-haproxy plugins to facilitate the automatic retrieval of Letsencrypt certificates for the man-in-the-middle OPNSense box. This will be some work, particularly because my OPNSense box sits behinds the FritzBox which connects the LAN to the internet.

You won't get a CA certificate from Let's Encrypt. Thats strictly forbidden. You can only issue server certificates for domains under your control.

Title: Re: Transparent SSL Proxy and Letsencrypt Certificate
Post by: gothbert on February 18, 2018, 08:28:15 am

Thank you, Fabian, for the quick reply.

I was under the wrong impression that a server certificate was needed to make the SSL proxy work. I looked it up again in the docs and UI and did some additional reading and I now understand that a CA is required, though. The CA issues server certificates on the fly for the sites visited. That answers all my questions at once.

Best regards
Boris