Messages

The problem is indeed about fetch, but i can't seems to find a proper functionnal solution.
It throws me back "Proxy authentication required" even though i specified username and password for the proxy in environment.

Problem is still up ...
Can't seems to find solution.

Hello,

I'm managing one OPNsense that is functionnal behind another proxy, modifications are done properly to set :
- a parent proxy in squid.conf
- setenv for parent proxy in pkg.conf.


However when i attempt to upgrade from SSH, it returns me :

Fetching packages-17.1-OpenSSL-amd64.tar: .............................................................opnsense-verify: Unable to open /var/cache/opnsense-update/2640/packages-17.1-OpenSSL-amd64.tar: No such file or directory
failed


Any pointer to look into this problem ?

Regards.

Updated previous post with possible solution, could be marked as solved i think.

[^.]

Hello,

Found out, it seems working with the following value: ^.
This should block every addresses and domains unless you allowed specifically the domain or ip access in "unrestricted ip addresses" or in "whitelist".

Thanks.

[worked like a charm]

Oh my god i'm stupid ... it's not even thoses files ...
I edited the wrong file in fact ...

So actually i have default files and added theses lines, and it worked like a charm !
My bad again ;D


squid.user.post_auth.conf :
- No file in /OPNsense/Proxy/ - one include in squid.conf -

squid.user.pre_auth.conf :
- No file in /OPNsense/Proxy/ - one include in squid.conf -

squid.conf :

#
# Added for Parent Proxy auth
cache_peer 192.168.*.* parent 3128 0 no-query no-digest default login=login:password
never_direct allow all

Is it normal that i can still access to parent proxy webpage or even internet directly with parent's proxy in browser parameters ?
I added a NAT port forward traffic port 80 to be redirected into 127.0.0.1:3128.
There is a No-Proxy bypass in OPNsense's firewall rules for LAN ...

And still can pass if i specify directly parent's proxy in web browser ... missed something with routing ?



Also, what about PKG trick with this Proxy Parent Auth ? Still has to be specified ?
https://forum.opnsense.org/index.php?topic=3833.0

Actually testing.

# Added for Parent Proxy auth
cache_peer 192.168.*.* parent 3128 0 no-query no-digest default login=login:password
never_direct allow all
# Configure Local User Authentication helper
auth_param basic program /usr/local/etc/inc/squid.auth-user.php
{% if helpers.exists('OPNsense.proxy.forward.authentication.realm') %}
auth_param basic realm {{OPNsense.proxy.forward.authentication.realm}}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.authentication.credentialsttl') %}
auth_param basic credentialsttl {{OPNsense.proxy.forward.authentication.credentialsttl}} hours
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.authentication.children') %}
auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
{% endif %}
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED

Actually it's a Double NAT configuration with double proxy, the endpoint is allowing only http connections for auth.

hi,

i'm little confused. Franco wrote 16.1.16? AD wrote dev version... i followed the link. i use 16.7rc2 (release topic). in the announcement of Franco for this "proxy: move ACL parts to separate file and allow pre and post hooks"
i created the file (/core/issues/802) /usr/local/opnsense/service/templates/OPNsense/Proxy/squid.user.post_auth.conf and have the parameters entered, but this does not work.

cheers till

Hello,

I found out about this value that i could add here :
http://www.squid-cache.org/Doc/config/cache_peer/
Specified correct parameters for this parent proxy with "login=user:password" for parent's auth.

However still having issue to browse internet page, on logs i get TCP_MISS/503 4473 GET http://www.google.com/ - HIER_DIRECT ...

This is quite strange since i followed the entire configuration in OPNsense's How-To (Caching Proxy + Transparent Proxy).

Any pointer ?

[Edit:]

I am actually looking for this solution as well since i want:

- To block everything for some computers and only allows updates links in whitelist.
- To block everything and only allows a bigger whitelisted links added manually.
- Allows everything for specific IPs.

Which means having several whitelists and being able to block everything for specific computers / servers.

Dunno if it's actually possible ... ?


Edit:
I tried to add "*.*" and "*" on the blacklist whitout effect.
I wish to block everything and only accept whitelisted domains or links.

For next peoples who are wondering too this trick worked smoothly:
https://forum.opnsense.org/index.php?topic=3833.0

I don't know about HTTPS, but for HTTP it went immediately after a reboot.

Hello,

I have actually the exact same question than this user: https://forum.opnsense.org/index.php?topic=2252.0
Since it seems not to be in "System: Settings: Miscellaneous" anymore.

Has been moved ?

Thanks folks !