Messages

Hello,
here's the output of the command:

root@opnsense:~ # squid -k parse
2017/05/11 16:10:14| Startup: Initializing Authentication Schemes ...
2017/05/11 16:10:14| Startup: Initialized Authentication Scheme 'basic'
2017/05/11 16:10:14| Startup: Initialized Authentication Scheme 'digest'
2017/05/11 16:10:14| Startup: Initialized Authentication Scheme 'negotiate'
2017/05/11 16:10:14| Startup: Initialized Authentication Scheme 'ntlm'
2017/05/11 16:10:14| Startup: Initialized Authentication.
2017/05/11 16:10:14| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2017/05/11 16:10:14| Processing: http_port 127.0.0.1:3128 intercept
2017/05/11 16:10:14| Starting Authentication on port 127.0.0.1:3128
2017/05/11 16:10:14| Disabling Authentication on port 127.0.0.1:3128 (interception enabled)
2017/05/11 16:10:14| Processing: http_port [::1]:3128 intercept
2017/05/11 16:10:14| Starting Authentication on port [::1]:3128
2017/05/11 16:10:14| Disabling Authentication on port [::1]:3128 (interception enabled)
2017/05/11 16:10:14| Processing: http_port 192.168.1.200:3128
2017/05/11 16:10:14| Processing: acl ftp proto FTP
2017/05/11 16:10:14| Processing: http_access allow ftp
2017/05/11 16:10:14| Processing: acl localnet src 192.168.1.0/24 # Possible internal network
2017/05/11 16:10:14| Processing: acl localnet src fc00::/7       # RFC 4193 local private network range
2017/05/11 16:10:14| Processing: acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines
2017/05/11 16:10:14| Processing: acl subnets src 192.168.1.0/24
2017/05/11 16:10:14| Processing: acl remoteblacklist_UT1 dstdomain "/usr/local/etc/squid/acl/UT1"
2017/05/11 16:10:18| Processing: acl remoteblacklist_Shalla dstdomain "/usr/local/etc/squid/acl/Shalla"
2017/05/11 16:10:23| Processing: acl Safe_ports port 80 # http
2017/05/11 16:10:23| Processing: acl Safe_ports port 21 # ftp
2017/05/11 16:10:23| Processing: acl Safe_ports port 443 # https
2017/05/11 16:10:23| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2017/05/11 16:10:23| Processing: acl CONNECT method CONNECT
2017/05/11 16:10:23| Processing: icap_enable off
2017/05/11 16:10:23| Processing: include /usr/local/etc/squid/pre-auth/*.conf
2017/05/11 16:10:23| Processing Configuration File: /usr/local/etc/squid/pre-auth/dummy.conf (depth 1)
2017/05/11 16:10:23| Processing: http_access deny remoteblacklist_UT1
2017/05/11 16:10:23| Processing: http_access deny remoteblacklist_Shalla
2017/05/11 16:10:23| Processing: http_access deny !Safe_ports
2017/05/11 16:10:23| Processing: http_access deny CONNECT !SSL_ports
2017/05/11 16:10:23| ACL not found: SSL_ports
FATAL: Bungled /usr/local/etc/squid/squid.conf line 77: http_access deny CONNECT !SSL_ports
Squid Cache (Version 3.5.24): Terminated abnormally.
CPU Usage: 9.670 seconds = 9.529 user + 0.142 sys
Maximum Resident Size: 743248 KB
Page faults with physical i/o: 2
root@opnsense:~ #

it seems that if no SSL port is present in the Access control list>Allowed SSL ports, squid doesn't start.
After set up a simple 443:https in the field and applied the config, squid was happy.

Forget me if is my mistake...

Thank you!

Hello all
just setup the proxy on a 17.1.5 following exactly the howto.

When i try to start the service, that simply doesn't start.

Any idea?

TIA

OPNsense 17.1.5-amd64
FreeBSD 11.0-RELEASE-p8

hello all
any one on this?

TIA

emilio

hello Fabian,
unfortunately this doesn't solve the problem.

as i said, the strange thing is that the https/SSL connections from the nagios host to other external hosts on ports other than 443 (ie port 444) works as aspected.

So i've made a little experiment here with the Allowed destination ports (proxy ACL advanced settings).
Please review the attached screenshots: _3 and _4.

Removed the default 443:https port and place the 444:https port instead.
In this condition the nagios connection on port 443 fails but now with the Acces denied message (as espected i think), while nagios connection on port 444 works OK.

Than removed all 444:https settings from both TCP and SSL ACL's proxy fields and leave it blank without the default 443 settings.
In this condition the nagios host has THE SAME behaviour as above, with failed 443 connections and working 444 connections even if there are no apparent settings that permit such thing.

It seems to me that there is some hardcoded parameter over there or maybe i need some more help...

TIA

emilio

thank you jamerson for your time.

i've double checked all setting and attached some screenshots.

If the Unrestricted IP means that ALL traffic from origin to destination is left untouched from the transparent proxy, including SSL bumping, then probably i have some  strange behaviour here because it works for some IPs while for others not at all.

I try to sketch-up the whole thing with trasparent proxy + SSL proxy:

nagios (LAN) check host1 on port 4444 > opnsense > WAN > monitored host1 (https port 4444) THIS IS OK
nagios (LAN) check host2 on port 443 > opnsense > WAN > monitored host2 (https port 443) THIS IS BLOCKED

The block error (from proxy) is the one i've already pasted in previous message.

TIA

emilio

hello jamerson,
yes i've configured a self signed cert for the proxy according to man pages.

then i've imported the cert in the browsers i've usually need to surf the internet and in the OS for some additional apps.
So if i'm not wrong, i should import the same cert in the nagios machine in order to get the correct behaviour.

What i don't understand here is why the Unrestricted IP address seems not to work, or maybe it is not the correct field in my specific case to fill up.

TIA

emilio

thanks for your answer,
yes i've configured both HTTP and HTTPS for transparent proxy.

i've also tried out to stop and restart the proxy service to no avail in my case.

emilio

thanks jamerson,
i've already tried that (see original post).

anyway i re-tried what you've suggested to double-check.
unfortunately this didn't do the trick and even if i put the LAN IP of my nagios host in the unrestricted IP, i've got this error trying connecting to the destination host:

The following error was encountered while trying to retrieve the URL: https://idrac/*

Failed to establish a secure connection to xxx.xxx.xxx.xxx

The system returned:

(92) Protocol error (TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
Self-signed SSL Certificate: /C=US/ST=Texas/L=Round Rock/O=Dell Inc./OU=Remote Access Group/CN=idrac/emailAddress=support@dell.com

This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.

Your cache administrator is admin@localhost.local.

what i need is a way to bypass SSL bumping (not proxy) for a given host(s) on my network.

TIA

emilio

Hello all
i setup transparent proxy on opnsense 16.1 (both HTTP and SSL).

Now i would like to have a periodic reports of every hits (sites) each internal LAN IPs navigated to.
Just tried out the Insight>Details section but i cannot find a way to have a IP>hostname field in order to have a detailed list of sites hits by user or by LAN IP.

Is it possibile? If so how?

Many thanks for any help

TIA

emilio

Hello all
i've setup a transparent proxy with both HTTP and SSL and all seems ok there.
Then i've put some domains in the 'SSL no bump sites' in order for these sites being passed trought the proxy.

Now i have a monitoring host (nagios) in my LAN which talks to many external (monitored) hosts on the standard 443 port. I would like to just add the nagios's IP address in a way that the proxy just leave this IP untouched, instead to add a very long list of external IPs in the 'SSL no bump sites' list.

Is it possible?

If so where are the settings in the web gui?

I've already tried out some settings in the Forward proxy > ACL but that settings (Unrestricted IP addresses) seems to just have to do with IP addresses (as stated by label) and nothing on the SSL side.


TIA

emilio

Many thanks to all who contributed to solve this problem.

See you

emilio

thank you very much Franco.

good to know.
So may i have to do something else here to help?
Consider the the ADI device is already upgraded to opnsense now.

TIA

emilio

hello,
i've just used the bootstrap solution and got the upgrade to opnsense succesfull.

to know the config files of the ADI version from pfsense i think it would be just a matter of extracting them isn't it?

if so, i can try to do that and post the config here

thanks all

emilio

thanks chemlud and franco for your kind help.

I've just tried out downloading the latest image from pfsense site.
Noticed that they posted 3 images there: amd64, i386 and a curious Netgate ADI.

Tried out the amd64, and got the same behaviuor i had originally with opnsense images (stop of serial output console on kernel booting).
Then tried the Netgate ADI and yes this image is working as espected.

Didn't check the freeBSD version though.

In the meantime i'll check the bootstrap option and report later here.

TIA

emilio

Hello Chemlud and thanks for your support.
I've sent netgate a message days ago in order to get some support to sort the issue to no avail - apparently they didn't reply to my email...

Any further advice on this?

Any way to reach them (netgate) directly (some real person)?

TIA

emilio