Messages

If I wanted to "no bump" source IPs how would I do this? It didn't seem to work by adding 192.168.1.10 to the gui ssl no bump field. This is at this point one option I am considering to not MITM the Amazon devices

I started thinking about how I might do this but haven't figured it out.

The squid.conf file has this section, that appears to point to the no bump list entered in the gui:

# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}

How would I override squid.conf with a .conf file, could I add this or something similar to the pre-auth location? I haven't had much luck yet:

vi /usr/local/etc/squid/pre-auth/
acl no_bump src 192.168.1.10/32
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 no_bump
ssl_bump splice bump_step3 no_bump
ssl_bump stare bump_step2
ssl_bump bump bump_step3

I was reading other sites in regards to SSL TAG_NONE/503 errors, and some mentioned to be less restrictive with the SSL cipher strengths. I am very familiar with Apache and how to do this, I assume it will easy to do this in Squid as well. However if I have to change these values I assume that the next time Opnsense updates Squid it will replace these values if I do it through the cli.

I am getting ahead of myself though, I don't know if this is the issue yet.

I tried adding the source IP to the "no bump list", whitelist, unrestricted without luck.

[error the requested url could not be retrievedhttps://108.177.122.139/*failed to establish a secure connection to 108.177.122.139The system returned:(92) protocol error (TLS code SQUID_ERR_SSL_HANDSHAKE)Handshake with ssl server failed: error: 140920F8:SSLroutines:ssl3_get_server_hello: unknown cipher returned]

Here is the error message from squid when launching the Amazon Kindle Fire 5th gen youtube app:

error the requested url could not be retrieved
https://108.177.122.139/*

failed to establish a secure connection to 108.177.122.139

The system returned:
(92) protocol error (TLS code SQUID_ERR_SSL_HANDSHAKE)
Handshake with ssl server failed: error: 140920F8:SSL
routines:ssl3_get_server_hello: unknown cipher returned

squid access logs:

1558402364.793 50    192.168.1.10 TAG_NONE/200 0 CONNECT 108.177.122.139:443 - ORIGINAL_DST/108.177.122.139 -
1558402364.707 0    192.168.1.10 TAG_NONE/503 4284 GET https://m.youtube.com/ - HIER_NONE/- text/html
1558402364.524 92    192.168.1.10 TAG_NONE/200 0 CONNECT 108.177.122.139:443 - ORIGINAL_DST/108.177.122.139 -
1558402364.411 92    192.168.1.10 TCP_MISS/301 482 GET http://m.youtube.com/ - ORIGINAL_DST/108.177.122.139 text/html

If I remove the https proxy or configure sni only, it works without issue. Also the silk browser works with the transparent proxy on without issue, the imported self sign cert shows valid.

I have .youtube.com in my no bump list. The youtube app on my android device works after adding no bump sites. Only having issues with Amazon.

Anyone able to lead me in the right path? If unable to get working, is it possible to "no bump" the src IP of the device?

I apologize for the number of post. I have transparent proxy working and working well for most clients on my network. I was able to determine "no bump" urls for youtube/netflix apps on android phones/tablets.

However I can't get Amazon's Kindle Fire and Fire TV's youtube app working through the transparent proxy. I was able to no bump the netflix app on these devices. I would like to "no bump" the destination URLs for the youtube app which when launching squid gives me an error with an IP in the URL instead of an actual domain name which I thought was strange.

I searched the internet and this forum for possible url destinations to add to the "no bump" list without any luck. Like I said, the youtube app is working on the android phones/tablets but not on Amazon's products.

Is there a way to "no bump" the devices by source address if it comes to that? Anyone able to point me in the right direction on URLs to no bump for Amazon Kindle Fire/ Fire TV apps? Thanks

I apologize for the misleading text, I changed the IPs for security reasons. I can assure you that the true IPs match properly.

["ERRORThe requested URL could not be retrievedThe following error was encountered while trying to retrieve the URL: https://192.168.1.2/ Failed to establish a secure connection to 192.168.1.2The system returned: [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH) Certificate does not match domainname: /C=xx/ST=xxxxxxx/L=xxxxxx /O=xxxx/emailAddress=xxxxxxxxxxxxxxx/CN=firewalltest.test/subjectAltName=DNS:firewalltest,IP:192.168.1.2This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.Your cache administrator is admin@localhost.local."]

Hello, hoping someone can help me understand why I am receiving message "Failed to establish a secure connection to 192.168.1.2" when I access the webgui from behind the squid forward ssl proxy but have no issues with accessing it with another SAN name "firewalltest"?

As I mentioned both are subject alternative names on a self generated certificated issued by the CA created on the opnsense firewall. One works, one does not when behind the proxy. If I access the webgui for firewall management without the proxy via the ip address it shows valid.

I have the CA on the firewall trusted in my OS. I have an entry in my /etc/host file on the client attempting to access the webgui for 192.168.1.2     firewalltest.

error message:


"ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: https://192.168.1.2/

    Failed to establish a secure connection to 192.168.1.2

The system returned:

    [No Error] (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH)

    Certificate does not match domainname: /C=xx/ST=xxxxxxx/L=xxxxxx /O=xxxx/emailAddress=xxxxxxxxxxxxxxx/CN=firewalltest.test/subjectAltName=DNS:firewalltest,IP:192.168.1.2

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is admin@localhost.local."


Certificate for the Opnsense webgui issued by a CA on opnsense which is also the one chosen for the CA for squid in opnsense services.

"Certificate Subject Alt Name = "DNS:firewalltest,IP:192.168.1.2"
CN = firewalltest.test
E = xxxxxxx
O = xxxxxx
L = xxxxxx
ST = xxxxx
C = xxxxx"

Thanks for providing further explanation. That helps!

Thanks again hbc! I think I understand. Since I am monitoring with the IPS at the WAN, inspection is happening before the traffic is decrypted/encrypted by the web proxy. If I was only monitoring on the LAN and OPT interfaces, this would not be an issue?

In my configuration though I will need to add ICAP/ClamAV to the traffic flow to see this at a later flow in the traffic. I think I get it, is there a nice diagram somewhere like a Visio document on a packet flow throughout the various systems? That would be neat.

I do appreciate the help!

Thanks for the response. I did stumble upon that post. I made my post after just to get an idea of how others are accomplishing this and what the best solution is. At this point I believe that seems like the best option, deny rfc1918 in an ACL via a .conf file in squid pre-auth and then no rdr for rfc1918 in a NAT rule above the proxy NAT.

I went ahead and created a no rrd nat rule above the other for destinatin RFC1918. I haven't gotten any responses to my posts. I really hope I haven't put things in an incorrect format or worded things in a way that is affecting me getting any help.

Seems other posts have some responses. New here, please point out my mistakes if there are any. Thanks!

Hello, I am new to Opnsense trying to get everything setup. I am hoping someone can give me some troubleshooting tips for the issue I am seeing.

I have configured transparent http/https web proxy and verified when going to https sites my CA is listed as the issuer of the cert and everything shows valid. I have added the "7999999   Drop   opnsense.test.rules   bad-unknown   OPNsense test eicar virus" rule and verified alerts are present when trying to download it at the http link and it is blocked. However when attempting https I am able to download it. There are no alerts present in the ids logs.

I have all interfaces in my IDS configured lan,opt1,opt2,wan

I tried both pattern matchers "hyperscan and aho-corasick". I have also tried promiscuous mode even though I am not using vlan tagging. It should be blocking the file via that same rule when download https right?

Here is my log entry when restarting the ids service:

May 11 23:30:59    suricata: [100159] <Notice> -- all 8 packet processing threads, 4 management threads initialized, engine started. Thanks for any help.


only blocking on 80:

2019-05-11T23:45:41.674353-0400   blocked   wan   213.211.198.62   80   34.21.174.42   30170   OPNsense test eicar virus   
2019-05-11T23:45:41.674353-0400   blocked   wan   213.211.198.62   80   34.21.174.42   30170   OPNsense test eicar virus

Would you please move this to the correct forum, Web Filtering? I did not see that category initially, my apologies.

I still am seeing this default denied traffic that I believe should be stateful return traffic. Thanks

I have configured the Web Proxy utilizing HTTP Transparent. I have 3 interfaces configured (LAN, OPT1 (DMZ), OPT2 (Servers). Before configuring the proxy I only permitted specific endpoints to access specific destinations on port 80 in OPT2 as well as only permitted 1 endpoint to access the WebGUI/SSH on the firewall on port 80.

Now, all devices are able to get to these destinations due to the fact the source appears the firewall now which is always permitted. What would be the best way to permit only the devices I wish to access these endpoints on 80 now since proxy their traffic now?

One way I thought of doing this is creating a a No RDR NAT rule with a destination of RFC1918 above the present NAT redirecting the 80 traffic to the firewall.

I also thought about changing the destination from ANY to !RFC1918 on the NAT that is presently redirecting 80 traffic to 127.0.0.1.

I would prefer not to circumvent the proxy though. Is there a way to create whitelist/blacklist in the web proxy to only permit specific sources to access specific destinations on RFC1918 subnets? I wasn't sure how. What is your opinion on how to best configure what I am wanting to achieve? Thanks