OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: stefan21 on June 24, 2018, 03:14:06 pm

Title: *SOLVED* Web proxy whitelist issue
Post by: stefan21 on June 24, 2018, 03:14:06 pm

Hello,

OPNsense is running as OPNsense 18.1.9-amd64, FreeBSD 11.1-RELEASE-p10, OpenSSL 1.0.2o 27 Mar 2018.

Services: Web Proxy: Administration Whitelist: besides some other domains: "my-hammer.de", which was the last I added.

From the log:
1529845065.736 0    xxx TCP_DENIED/403 4095 GET http://www.my-hammer.de/favicon.ico - HIER_NONE/- text/html
1529845065.715 0    xxx TCP_DENIED/403 4021 GET http://www.my-hammer.de/favicon.ico - HIER_NONE/- text/html
1529845065.681 0    xxx TCP_DENIED/403 4141 GET http://localhost:3128/squid-internal-static/icons/SN.png - HIER_NONE/- text/html
1529845065.647 0    xxx TCP_DENIED/403 4100 GET http://www.my-hammer.de/ - HIER_NONE/- text/html

The client is not able to access the domain. The previous whitelisted domains are accessable.

Anybody with an idea?

regards,
stefan

Title: Re: Web proxy whitelist issue
Post by: stefan21 on June 25, 2018, 04:09:18 pm

Even if whitelisting (unrestricted access) the IP of the workstation does not help. How can that be?

Any help would be appreciated.

Title: Re: Web proxy whitelist issue
Post by: stefan21 on June 25, 2018, 06:37:21 pm

The following error was encountered while trying to retrieve the URL: http://www.my-hammer.de/

    Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

I just don't get it - IMVHO there's nothing defined in the ACL which could prevent loading this page? The only entry in the blacklist is "imrworldwide.com".

BTW - could someone move this to the correct subforum? Sorry for posting too fast...

Title: Re: *SOLVED* Web proxy whitelist issue
Post by: stefan21 on June 25, 2018, 09:10:05 pm

Disabling shallalist and re-starting the web proxy solved the issue. This means, that even whitelisting a domain is being overwritten from remote blacklist. Quite easy if you know about this. Sorry for the noise.

Anyway - this leaves the question how to whitelist a domain which is in a remote blacklist?

regards,
stefan

EDIT: while playing a little around, I first deleted and then re-added the my-hammer.de domain in my whitelist. Did a "apply" with every step and restarted the proxy twice. Then I enabled in remote ACL the shallalist again. After another restart of the proxy the whitelisted domain was accessable. Very tricky...