1
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
21.1 Legacy Series / Rspamd Greylist Whitelist...
« on: February 22, 2021, 10:40:23 am »
... isn't working because of typo:
should be
https://rspamd.com/doc/modules/greylisting.html
Regards
Code: [Select]
whitelist_ipshould be
Code: [Select]
whitelisted_iphttps://rspamd.com/doc/modules/greylisting.html
Regards
3
21.1 Legacy Series / Re: Postfix <-> rspamd integration
« on: February 13, 2021, 04:00:25 pm »
See Page 29, the whole manual is a good read.
https://www.heinlein-support.de/sites/default/files/SLAC_2019_Rspamd-neue-Konzepte-im-AntiSpam.pdf
https://www.heinlein-support.de/sites/default/files/SLAC_2019_Rspamd-neue-Konzepte-im-AntiSpam.pdf
4
21.1 Legacy Series / Re: rspamd log - where to look for?
« on: February 09, 2021, 08:07:44 am »Thanks again.
Is this the file? I'm asking because it is in a different location than you indicated.
Thanks!
Just create that folder override.d
https://rspamd.com/doc/faq.html#what-are-the-locald-and-overrided-directories
5
21.1 Legacy Series / Re: rspamd log - where to look for?
« on: February 09, 2021, 08:06:22 am »Thank you so much!Good question, tbh I don't know.
(I wonder why isn't the WebGUI acrive by default?)
6
21.1 Legacy Series / Re: rspamd log - where to look for?
« on: February 08, 2021, 09:21:27 pm »
Hello you, there is a handy WebGUI for Rspamd, but its hidden and you need to tinker a bit to make it visible.
1. First you need to create a file in
/usr/local/etc/rspamd/override.d/worker-controller.inc
with this:
2. restart rspamd, now the WebGUI should be reachable via
http://192.168.100.1:11334 (IP should the LAN IP of your firewall)
https://rspamd.com/webui/
3. If you like a nice Link in the service section of the WebUI, create another file in:
/usr/local/opnsense/mvc/app/models/OPNsense/Links/Menu/Menu.xml (missing folders must be created)
with this content:
now execute following command in the shell:
4 . Refresh your browser, there should now be a link in services like here:
5. Or just tail the rspamd log
Hope that was helpful.
1. First you need to create a file in
/usr/local/etc/rspamd/override.d/worker-controller.inc
with this:
Quote
bind_socket = "*:11334";
2. restart rspamd, now the WebGUI should be reachable via
http://192.168.100.1:11334 (IP should the LAN IP of your firewall)
https://rspamd.com/webui/
3. If you like a nice Link in the service section of the WebUI, create another file in:
/usr/local/opnsense/mvc/app/models/OPNsense/Links/Menu/Menu.xml (missing folders must be created)
with this content:
Quote
<menu>(same here, IP should the LAN IP of your firewall)
<Services>
<Rspamd-Web VisibleName="Rspamd Web" cssClass="fa fa-envelope fa-fw" isExternal="Y" url="http://192.168.100.1:11334/" />
</Services>
</menu>
now execute following command in the shell:
Quote
/usr/local/etc/rc.configure_plugins
4 . Refresh your browser, there should now be a link in services like here:
5. Or just tail the rspamd log
Quote
tail -f /var/log/rspamd/rspamd.log
Hope that was helpful.
7
Web Proxy Filtering and Caching / Re: Web Proxy SSL No Bumb eg. Wifi Guests
« on: February 04, 2021, 02:45:04 pm »
There is a way, where your edits will survive a plugin/system update:
https://docs.opnsense.org/development/backend/templates.html
Still it would be 1000 times better, to have this in the WebGUI as an option.
https://docs.opnsense.org/development/backend/templates.html
Still it would be 1000 times better, to have this in the WebGUI as an option.
8
Web Proxy Filtering and Caching / Re: Web Proxy SSL No Bumb eg. Wifi Guests
« on: February 04, 2021, 07:26:34 am »Do these settings remain after a reboot?
Yes they do if you edit the template files in
/usr/local/opnsense/service/templates/OPNsense/Proxy/
files in
/usr/local/etc/squid
will not, but a os-web-proxy update will overwrite them here as well.
I not 100% on this, but it may help.Unfortunately, in this case it will not work.
https://forum.opnsense.org/index.php?topic=6516.msg27986#msg27986
9
Web Proxy Filtering and Caching / Re: Kindle Fire and Samsung Fire TV Transparent Proxy No Bump
« on: January 22, 2021, 04:06:12 pm »
10
Web Proxy Filtering and Caching / Web Proxy SSL No Bumb eg. Wifi Guests
« on: January 22, 2021, 04:04:51 pm »
Long time lurker, first time poster.
Coming from pfSense to OPNSense, still trying making things to how I'm used to. In pfSense there is a option in Squid, where you can enable SSL inspection with custom config, which let you do things like SSLBump on the LAN interface and just Splice on the WIFI interface. So you don't get TLS errors about brocken certificates and so on, but sill maintain a layer of protection with SNI and acl blacklisting.
Unfortunately in OPNSense there is no such option for the Web Proxy, but with a little tinkering I figured out how to make it here work as well.
We need to modify one file, which maybe get overwrite on updates, but any way here we go:
1. In Services: Web Proxy: Administration, enable Enable SSL inspection apply.
2. You need to edit /usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf
from
to
and save the changes. (bold)
3. Next in Services: Web Proxy: Administration, just hit apply.
Now you should have full SSL inspection everywhere, expect on clients in the 10.10.10.0/24 network or single IPs like 10.10.20.9 and 192.168.0.13 which only get spliced, so they don't need a cert to be installed and thus have no cert errors.
Hope someone will find this useful, maybe a dev can make this as an option in the WebGUI of the Web Proxy.
Thanks
Coming from pfSense to OPNSense, still trying making things to how I'm used to. In pfSense there is a option in Squid, where you can enable SSL inspection with custom config, which let you do things like SSLBump on the LAN interface and just Splice on the WIFI interface. So you don't get TLS errors about brocken certificates and so on, but sill maintain a layer of protection with SNI and acl blacklisting.
Unfortunately in OPNSense there is no such option for the Web Proxy, but with a little tinkering I figured out how to make it here work as well.
We need to modify one file, which maybe get overwrite on updates, but any way here we go:
1. In Services: Web Proxy: Administration, enable Enable SSL inspection apply.
2. You need to edit /usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf
from
Quote
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump
{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}
to
Quote
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
acl splice_only src 10.10.10.0/24
acl splice_only src 10.10.20.9
acl splice_only src 192.168.0.13
# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump
{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump peek bump_step2 splice_only
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump splice bump_step3 splice_only
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}
and save the changes. (bold)
3. Next in Services: Web Proxy: Administration, just hit apply.
Now you should have full SSL inspection everywhere, expect on clients in the 10.10.10.0/24 network or single IPs like 10.10.20.9 and 192.168.0.13 which only get spliced, so they don't need a cert to be installed and thus have no cert errors.
Hope someone will find this useful, maybe a dev can make this as an option in the WebGUI of the Web Proxy.
Thanks
Pages: [1]