OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of t.mayer »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - t.mayer

Pages: [1]
1
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: April 15, 2020, 02:21:24 pm »
I have exactly the same settings.

2
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: April 06, 2020, 10:34:15 am »
Many thanks for your effort, but manually editing shallalist will not solve the bug. And when shallalist gets updated all changes are gone.

I really would like to initiate a discussion in this thread about eliminating the bug:
the whitelist ist not considered when using remote blacklist in combination with transparent-ssl-sni squid-setting

And as hbc confirms: it really seems to be a bug!

3
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: April 05, 2020, 08:49:10 am »
WPAD and static proxy are also working for me - but with mobile clients it would be much more easier to use sni.

I found a similar problem on pfsense-forum:
https://forum.netgate.com/topic/128492/we-are-trying-to-work-with-squid-proxy-squidguard-but-whitelist-dont-work

I really think it's  bug.
The question now: is it a squid-bug or an opnsense-bug?

4
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: March 31, 2020, 03:58:52 pm »
@Amr

Thanks for trying to help me. But I think - sorry if this is impolite - you can not help me until you really want to recognize my problem.

You say that it is weird that i am using internal certificate - 5 lines further you explain that you are using internal certificate as well. Further you claim that you have tested the same installation, but you don't use a remote acl like shalla list.

The problem is neither the internal certificate nor antivirus (not used).
The problem is the shallalist in combination with transparent/ssl/sni-proxy: whitelisted entrys are blocked. All the rest is working as expected.

Greeds an thanks for you help.

5
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: March 29, 2020, 09:35:29 am »
The error is - as always when blocking https - not a squid-error but a browser-certificate-error:
NET::ERR_CERT_AUTHORITY_INVALID

I have reset the cache and restarted squid lots of times...

Can you test, if a whitelisted entry works when blocking with transparent proxy with ssl and sni on your installation?

I think its a bug!

6
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: March 27, 2020, 05:49:44 pm »
@Amr: Thanks to your response!

I think you got me wrong. The Proxy-NAT works as expected. I can access all websites with proxy except those that I have blocked by an active shallalist-category.

NAT-Rules:
  • Interface: LAN / Proto: TCP / Destination-Port: 80 / NAT-IP: 127.0.0.1 / NAT-Port: 3128
  • Interface: LAN / Proto: TCP / Destination-Port:443 / NAT-IP: 127.0.0.1 / NAT-Port: 3129

The problem is that the whitelist (e. g. for instagram.com) is not considered  when using a remote acl (e. g. shallalist with active category socialnet) when using proxy in transparent/ssl/sni-mode.

The whitelist is only considered when the proxy is used in non-transparent mode.

Greeds
Tom

7
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: March 25, 2020, 04:21:21 pm »
@Amr: Thanks for your answer.

The problem to me still exists.
I found out that it has to do something with the ssl/sni-only-settings.

Here is what i have tested:
  • Remote-ACL: Shallalist with only one aktive category: socialnet
  • URL for testing: instagram.com
Case 1: No Entry in ACL-Whitelist
Setting Browser to use Proxy-Port 3128
> instagram.com can't be reached
> functioning as expected

Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
> functioning as expected

Case 2: Entry in ACL-Whitelist: instagram.com
Setting Browser to use Proxy-Port 3128
> instagram.com can be reached
> functioning as expected

Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
> BUG?
> instagram.com as entry in SSL no bump sites has also no effect on this

Hopefully my description is understandable.

Greeds
Tom

8
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: January 23, 2020, 07:48:34 pm »
May I ask again if there is anybody with an idea?

9
Web Proxy Filtering and Caching / ACL > Whitelist not not considered when using Remote ACL
« on: January 07, 2020, 11:55:14 am »
I have configured the OPNsense-Webproxy with shallalist as Remote ACL.
For some exceptions i always used the Whitelist under Access Control List > Whitelist.
When i try to open a domain blocked by shallalist-category but with a corresponding entry in the whitelist, the domain still will be blocked.

Version of OPNSense: 19.7.8

Forward-Proxy-Config:
- Interface: LAN
- Port: 3128 / SSL: 3129
- Transparent http-Proxy
- SSL inspection
- SNI only

Thanks for your help!

Greeds
Tom

10
Web Proxy Filtering and Caching / Re: Do not allow IP-Addresses in URL
« on: March 18, 2019, 03:04:18 pm »
When then somebody should use a proxy?

Because of the possibility of serveral URLs behind the same IP blocking ips via firewall can not be the preferred solution. I just don't want users to bypass the proxy by typing the corresponding ip-address of an url into the browser.

Moreover I do not see the possibility to load a list like the shallalist into the firewall-alias-section. Cloud you explain how to load a list into the alias-section?

My solution for now are the following settings in Services: Web Proxy: Administration: Forward Proxy: Access Control List
  • Whitelist: 172\.16\.[0-9]+\.[0-9]+ (allowing local ips [172.20.0.0/16] in urls)
  • Blacklist: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ (denyig all other ips in urls)


11
General Discussion / HAProxy > Public Services > Select Rules > one rule is always missing
« on: March 10, 2019, 10:42:22 am »
When I want to select rules for a public service (frontend), the dropdown always shows one rule less as i have defined in the rules section.
Example: When I have defined 9 rules in the rules-section, only 8 rules are shown in the select-rules-dropdown of a public service.

I  observed this behaviour on Firefox and Chromium.

Can you help me?
Greeds and Thanks!
Tom.

12
Web Proxy Filtering and Caching / Do not allow IP-Addresses in URL
« on: March 09, 2019, 11:36:42 am »
I have a working opnsense-proxy with shallalist as webfilter.

When I try to open an url from a blocked category, it wont open (as expected).
But when i use the ip of the webserver hosting the url, i can reach the website.

Is there way to block external ip-addresses in urls.
Defining the regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ in Forward Proxy > Blacklist does also block internal ips in urls.

13
Web Proxy Filtering and Caching / Re: Web Proxy - Proxy Port 800 not possible
« on: March 08, 2019, 08:31:44 am »
Hey Fabian,

thanks for the quick response!
Your suggestion works for me with the following NAT-rule:
  • Interface: LAN
  • TCP/Protocol: IPv4/TCP+UDP
  • Destination port range: 800
  • Redirect target ip: <ip of OPNsense>
  • Redirect target port: 3128
Thanks for your help!

14
Web Proxy Filtering and Caching / Web Proxy - Proxy Port 800 not possible
« on: March 07, 2019, 08:23:40 pm »
Due tu historical reasons our students are using port 800 in there mobile-device-proxy-settings.
No I want to switch from pfsense (where port 800 was possible ) to opnsense.
When I change the default port (3128) to 800 the proxy-server wont start again.

Error in the logs: Fatal: Unable to open http socket
On the console sockstat -4 -l does not show port 800 to be in use.

Can you help me please!

Greeds and thanks!
Tom

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2021 All rights reserved
  • SMF 2.0.17 | SMF © 2019, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2