OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: jp26198926 on March 13, 2018, 07:55:34 am
-
Hi Sir,
I still bit confused of the web proxy, in remote list i downloaded already the shallalist.
may i know what is the opnsense setup equivalent to pfsense squidguard group acl?
i am just trying to filter some intranet group in web using shalla's categories.
Thanks,
-
You can try the web-proxy-useracl plugin and see if it works for your use case.
Cheers,
Franco
-
Hi Franco,
Like jp26198926, I'd like to setup ACLs to subnet-defined groups and attribute them target categories based on domains, URLs or regex,
as pfSense does. I tried the web-proxy-useracl plugin, but it's only based on users or groups, and forces the use of authentication.
Would it be feasible to add such a feature to OPNsense?
Thanks,
Pascal
-
Hello Gentlemen,
I´ve been thinking about it... I am also working and looking on something like this.
I was wondering if the "web-proxy-useracl" plugin could be modified in order to match the Blacklists File/name.
Check pictures attached, please.
It would go like this:
1- You create groups on Active Directory (AD).
2- You capture the AD groups on OPNSense (Menu System-->Access-->Users/groups)
3- You download your preferred Blacklist file and give it a "Name"
4- From the "Proxy Menu --> Administration --> Forward Proxy --> Authentication Settings" you choose AD Authentication.
5- From the "Proxy Menu --> Groups and Users " where is "Name", you should input the "AD group" you want to match the Blacklist. Where is "DOMAINS" you should add the Blacklist Name you previously configured on step 3.
That way, you will have, not only the same squidguard ACL-GROUPS functionalities, but something Absolutelly better, since on squidguard you have to deal with ldap-search lines that are pretty confusing and here it would be all "Web/Icons/Objects based"
Additionally, (just a suggestion) it would be great to add an extra field to the "Authentication menu" with a "CUSTOM AUTHENTICATION" so we can add whatever authentication we want like the Winbind SSO/Kerberos/WMI, etc.
Since we would be working with "existing variables", how hard would it be to make such changes?
There is one thing I don't know: Since opnsense doesn't use squidguard, I am wondering the compatible commands on it, like we have on squidguard (ldapsearch) to match "groups and users" to Blacklists.
(What product opnsense is using to replace squidguard by the way?)
I am not good with php/mvc , so I can help with Money/UAT/Test support.
Gentlemen, OPNsense is already an absolutelly wonderful product, but that would raise it to a new level, since you only see features like this on "expensive & commercial" products like BlueCoat/Cisco/Fortinet etc.
Please let me know if someone would be interested. I am on the boat. :-)
Fabricio.
-
You can try the web-proxy-useracl plugin and see if it works for your use case.
Cheers,
Franco
Hi Franco,
I'm using web-proxy-useracl plugin and would like to know if anyone managed to solve the following problem...
In squid.conf, the ACL remote blacklists are evaluated before the "Auth plugins" include, which has the custom whitelists:
https://github.com/opnsense/plugins/issues/1111
Thanks!