Messages

1

Web Proxy Filtering and Caching / Re: Squid Transparent Mode No Error] (TLS code: SQUID_TLS_ERR_CONNECT+TLS_IO_ERR=1)

« on: September 07, 2023, 11:16:31 pm »

Tls error means that TLS negotiation failed. It could be that the server does not support allowed ciphers or uses unsigned certificate. Your can manually view proxy config in /usr/local/etc/squid.conf I believe. Config file will give you hints what is really configured for squid process. I know for a fact that it will theft unsigned cert and I don't think there is as option in gui to change that - is a security risk though. Most likely though if other websites work and that one doesn't, it's a crappy implementation on the remote end.

2

Web Proxy Filtering and Caching / Re: Whitelist 6 Domains

« on: September 07, 2023, 11:08:44 pm »

You can achieve that with "web proxy" config. Enable http and ssl intercept, sni induction only, add websites and allowed hosts or networks to proxy access list, configure your 6 websites in the proxy acl, configure port forwarding from 80 and 443 to whether corresponding ports you have in your proxy config (3218 and 3129 by default) and add this to proxy blacklist :
.[a-zA-Z]+

3

Web Proxy Filtering and Caching / Re: Full Reset of HAProxy Config

« on: September 07, 2023, 11:01:35 pm »

I've not had this particular error, but first thing I would try is to cut out ha pretty config from the xml config file and load it to a test box to see what happens. It is usually corrupted config that prevent the service from starting. Opnsense will try to restart the device over and over.

4

Web Proxy Filtering and Caching / Re: Setting Up LANCache + Unbound

« on: September 07, 2023, 10:56:31 pm »

Why not use squid that's built into opnsense, seems easier and more logical, it has caching options and you'll have it all in one box. Looks like lan cache needs to be a dns server in the network, you can always point your dns on pfsense to forward dns queries to it if you want to.

5

Web Proxy Filtering and Caching / Web Proxy traffic shaping question

« on: September 06, 2023, 06:05:14 pm »

Hi
Coming from pfsense, which I administered for years, relatively new to opnsense.
I have succesfully configured:
- shaper pipes - one for upload, one for download
- weighted queues
 - shaper rules matching various traffic and allocating traffic to appropriate queues.

All of the above works as expected, I can see traffic in Friewall > Shaper > Status, and network tests confirm that it works.

I cannot for the life of me figure out how to shape traffic that comes from LAN to web proxy via NAT port forward (redirect to 127.0.0.1 and squid port)
Web proxy works as expected, but the traffic does not show in traffic shaper no matter how I set it up, which also screw up my whole QoS as there is a significant portion of traffic going via web proxy, which does not show in traffic shaper. This means that the shaper thinks there is no congestion and does not work correctly while web proxy traffic is consuming like 90% of bandwidth.

Proxy is configured for SNI inspection only if that matters (transparent proxy)

I have configured a special queue for web proxy.
I have tried the following rules under Firewall > shaper > Rules:
Interface Loopback, LAN and WAN, nothing catches the web proxy traffic even if this is the only rule present.
Various destination IP addresses, including loopback IP.
Normally LAN catches upload, and WAN download from what I figured so far.

In PFSense I could achieve this by adding queue to firewall rules that was allowing traffic to squid, but in case of OPNSense, this is done via rules in shaper section by the looks of it.

I am wondering if anyone knows the order the firewall is processing traffic, as to my understanding traffic from LAN in my case gets natted first (redirected to loopback IP of the firewall), so that port 443 turns into 3129 and destination addess into 127.0.0.1(loopback), Then firewall filter passes the traffic via bound firewall rule.
Then the proxy inspects the SNI and sources the traffic flow from firewall WAN interface (closest IP to destination address)

What am I missing here, how can I shape the web proxy traffic? There is traffic management under web proxy confgiuration, but that is too basic for my needs, as it doesn't cooperate with existing pipe queue system.