1
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: April 15, 2020, 02:21:24 pm »
I have exactly the same settings.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: April 06, 2020, 10:34:15 am »
Many thanks for your effort, but manually editing shallalist will not solve the bug. And when shallalist gets updated all changes are gone.
I really would like to initiate a discussion in this thread about eliminating the bug:
the whitelist ist not considered when using remote blacklist in combination with transparent-ssl-sni squid-setting
And as hbc confirms: it really seems to be a bug!
I really would like to initiate a discussion in this thread about eliminating the bug:
the whitelist ist not considered when using remote blacklist in combination with transparent-ssl-sni squid-setting
And as hbc confirms: it really seems to be a bug!
3
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: April 05, 2020, 08:49:10 am »
WPAD and static proxy are also working for me - but with mobile clients it would be much more easier to use sni.
I found a similar problem on pfsense-forum:
https://forum.netgate.com/topic/128492/we-are-trying-to-work-with-squid-proxy-squidguard-but-whitelist-dont-work
I really think it's bug.
The question now: is it a squid-bug or an opnsense-bug?
I found a similar problem on pfsense-forum:
https://forum.netgate.com/topic/128492/we-are-trying-to-work-with-squid-proxy-squidguard-but-whitelist-dont-work
I really think it's bug.
The question now: is it a squid-bug or an opnsense-bug?
4
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: March 31, 2020, 03:58:52 pm »
@Amr
Thanks for trying to help me. But I think - sorry if this is impolite - you can not help me until you really want to recognize my problem.
You say that it is weird that i am using internal certificate - 5 lines further you explain that you are using internal certificate as well. Further you claim that you have tested the same installation, but you don't use a remote acl like shalla list.
The problem is neither the internal certificate nor antivirus (not used).
The problem is the shallalist in combination with transparent/ssl/sni-proxy: whitelisted entrys are blocked. All the rest is working as expected.
Greeds an thanks for you help.
Thanks for trying to help me. But I think - sorry if this is impolite - you can not help me until you really want to recognize my problem.
You say that it is weird that i am using internal certificate - 5 lines further you explain that you are using internal certificate as well. Further you claim that you have tested the same installation, but you don't use a remote acl like shalla list.
The problem is neither the internal certificate nor antivirus (not used).
The problem is the shallalist in combination with transparent/ssl/sni-proxy: whitelisted entrys are blocked. All the rest is working as expected.
Greeds an thanks for you help.
5
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: March 29, 2020, 09:35:29 am »
The error is - as always when blocking https - not a squid-error but a browser-certificate-error:
NET::ERR_CERT_AUTHORITY_INVALID
I have reset the cache and restarted squid lots of times...
Can you test, if a whitelisted entry works when blocking with transparent proxy with ssl and sni on your installation?
I think its a bug!
NET::ERR_CERT_AUTHORITY_INVALID
I have reset the cache and restarted squid lots of times...
Can you test, if a whitelisted entry works when blocking with transparent proxy with ssl and sni on your installation?
I think its a bug!
6
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: March 27, 2020, 05:49:44 pm »
@Amr: Thanks to your response!
I think you got me wrong. The Proxy-NAT works as expected. I can access all websites with proxy except those that I have blocked by an active shallalist-category.
NAT-Rules:
The problem is that the whitelist (e. g. for instagram.com) is not considered when using a remote acl (e. g. shallalist with active category socialnet) when using proxy in transparent/ssl/sni-mode.
The whitelist is only considered when the proxy is used in non-transparent mode.
Greeds
Tom
I think you got me wrong. The Proxy-NAT works as expected. I can access all websites with proxy except those that I have blocked by an active shallalist-category.
NAT-Rules:
- Interface: LAN / Proto: TCP / Destination-Port: 80 / NAT-IP: 127.0.0.1 / NAT-Port: 3128
- Interface: LAN / Proto: TCP / Destination-Port:443 / NAT-IP: 127.0.0.1 / NAT-Port: 3129
The problem is that the whitelist (e. g. for instagram.com) is not considered when using a remote acl (e. g. shallalist with active category socialnet) when using proxy in transparent/ssl/sni-mode.
The whitelist is only considered when the proxy is used in non-transparent mode.
Greeds
Tom
7
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: March 25, 2020, 04:21:21 pm »
@Amr: Thanks for your answer.
The problem to me still exists.
I found out that it has to do something with the ssl/sni-only-settings.
Here is what i have tested:
Setting Browser to use Proxy-Port 3128
> instagram.com can't be reached
> functioning as expected
Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
> functioning as expected
Case 2: Entry in ACL-Whitelist: instagram.com
Setting Browser to use Proxy-Port 3128
> instagram.com can be reached
> functioning as expected
Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
> BUG?
> instagram.com as entry in SSL no bump sites has also no effect on this
Hopefully my description is understandable.
Greeds
Tom
The problem to me still exists.
I found out that it has to do something with the ssl/sni-only-settings.
Here is what i have tested:
- Remote-ACL: Shallalist with only one aktive category: socialnet
- URL for testing: instagram.com
Setting Browser to use Proxy-Port 3128
> instagram.com can't be reached
> functioning as expected
Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
> functioning as expected
Case 2: Entry in ACL-Whitelist: instagram.com
Setting Browser to use Proxy-Port 3128
> instagram.com can be reached
> functioning as expected
Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
> BUG?
> instagram.com as entry in SSL no bump sites has also no effect on this
Hopefully my description is understandable.
Greeds
Tom
8
Web Proxy Filtering and Caching / Re: ACL > Whitelist not not considered when using Remote ACL
« on: January 23, 2020, 07:48:34 pm »
May I ask again if there is anybody with an idea?
9
Web Proxy Filtering and Caching / ACL > Whitelist not not considered when using Remote ACL
« on: January 07, 2020, 11:55:14 am »
I have configured the OPNsense-Webproxy with shallalist as Remote ACL.
For some exceptions i always used the Whitelist under Access Control List > Whitelist.
When i try to open a domain blocked by shallalist-category but with a corresponding entry in the whitelist, the domain still will be blocked.
Version of OPNSense: 19.7.8
Forward-Proxy-Config:
- Interface: LAN
- Port: 3128 / SSL: 3129
- Transparent http-Proxy
- SSL inspection
- SNI only
Thanks for your help!
Greeds
Tom
For some exceptions i always used the Whitelist under Access Control List > Whitelist.
When i try to open a domain blocked by shallalist-category but with a corresponding entry in the whitelist, the domain still will be blocked.
Version of OPNSense: 19.7.8
Forward-Proxy-Config:
- Interface: LAN
- Port: 3128 / SSL: 3129
- Transparent http-Proxy
- SSL inspection
- SNI only
Thanks for your help!
Greeds
Tom
10
Web Proxy Filtering and Caching / Re: Do not allow IP-Addresses in URL
« on: March 18, 2019, 03:04:18 pm »
When then somebody should use a proxy?
Because of the possibility of serveral URLs behind the same IP blocking ips via firewall can not be the preferred solution. I just don't want users to bypass the proxy by typing the corresponding ip-address of an url into the browser.
Moreover I do not see the possibility to load a list like the shallalist into the firewall-alias-section. Cloud you explain how to load a list into the alias-section?
My solution for now are the following settings in Services: Web Proxy: Administration: Forward Proxy: Access Control List
Because of the possibility of serveral URLs behind the same IP blocking ips via firewall can not be the preferred solution. I just don't want users to bypass the proxy by typing the corresponding ip-address of an url into the browser.
Moreover I do not see the possibility to load a list like the shallalist into the firewall-alias-section. Cloud you explain how to load a list into the alias-section?
My solution for now are the following settings in Services: Web Proxy: Administration: Forward Proxy: Access Control List
- Whitelist: 172\.16\.[0-9]+\.[0-9]+ (allowing local ips [172.20.0.0/16] in urls)
- Blacklist: [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ (denyig all other ips in urls)
11
General Discussion / HAProxy > Public Services > Select Rules > one rule is always missing
« on: March 10, 2019, 10:42:22 am »
When I want to select rules for a public service (frontend), the dropdown always shows one rule less as i have defined in the rules section.
Example: When I have defined 9 rules in the rules-section, only 8 rules are shown in the select-rules-dropdown of a public service.
I observed this behaviour on Firefox and Chromium.
Can you help me?
Greeds and Thanks!
Tom.
Example: When I have defined 9 rules in the rules-section, only 8 rules are shown in the select-rules-dropdown of a public service.
I observed this behaviour on Firefox and Chromium.
Can you help me?
Greeds and Thanks!
Tom.
12
Web Proxy Filtering and Caching / Do not allow IP-Addresses in URL
« on: March 09, 2019, 11:36:42 am »
I have a working opnsense-proxy with shallalist as webfilter.
When I try to open an url from a blocked category, it wont open (as expected).
But when i use the ip of the webserver hosting the url, i can reach the website.
Is there way to block external ip-addresses in urls.
Defining the regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ in Forward Proxy > Blacklist does also block internal ips in urls.
When I try to open an url from a blocked category, it wont open (as expected).
But when i use the ip of the webserver hosting the url, i can reach the website.
Is there way to block external ip-addresses in urls.
Defining the regex [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ in Forward Proxy > Blacklist does also block internal ips in urls.
13
Web Proxy Filtering and Caching / Re: Web Proxy - Proxy Port 800 not possible
« on: March 08, 2019, 08:31:44 am »
Hey Fabian,
thanks for the quick response!
Your suggestion works for me with the following NAT-rule:
thanks for the quick response!
Your suggestion works for me with the following NAT-rule:
- Interface: LAN
- TCP/Protocol: IPv4/TCP+UDP
- Destination port range: 800
- Redirect target ip: <ip of OPNsense>
- Redirect target port: 3128
14
Web Proxy Filtering and Caching / Web Proxy - Proxy Port 800 not possible
« on: March 07, 2019, 08:23:40 pm »
Due tu historical reasons our students are using port 800 in there mobile-device-proxy-settings.
No I want to switch from pfsense (where port 800 was possible ) to opnsense.
When I change the default port (3128) to 800 the proxy-server wont start again.
Error in the logs: Fatal: Unable to open http socket
On the console sockstat -4 -l does not show port 800 to be in use.
Can you help me please!
Greeds and thanks!
Tom
No I want to switch from pfsense (where port 800 was possible ) to opnsense.
When I change the default port (3128) to 800 the proxy-server wont start again.
Error in the logs: Fatal: Unable to open http socket
On the console sockstat -4 -l does not show port 800 to be in use.
Can you help me please!
Greeds and thanks!
Tom
Pages: [1]