OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of Bismarck »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - Bismarck

Pages: [1]
1
21.1 Legacy Series / Rspamd Greylist Whitelist...
« on: February 22, 2021, 10:40:23 am »
... isn't working because of typo:

Code: [Select]
whitelist_ip
should be

Code: [Select]
whitelisted_ip
https://rspamd.com/doc/modules/greylisting.html

Regards

2
Web Proxy Filtering and Caching / Web Proxy SSL No Bumb eg. Wifi Guests
« on: January 22, 2021, 04:04:51 pm »
Long time lurker, first time poster.

Coming from pfSense to OPNSense, still trying making things to how I'm used to. In pfSense there is a option in Squid, where you can enable SSL inspection with custom config, which let you do things like SSLBump on the LAN interface and just Splice on the WIFI interface. So you don't get TLS errors about brocken certificates and so on, but sill maintain a layer of protection with SNI and acl blacklisting.

Unfortunately in OPNSense there is no such option for the Web Proxy, but with a little tinkering I figured out how to make it here work as well.

We need to modify one file, which maybe get overwrite on updates, but any way here we go:

1. In Services: Web Proxy: Administration, enable Enable SSL inspection apply.

2. You need to edit /usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf

from
Quote
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}

to
Quote
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
acl splice_only src 10.10.10.0/24
acl splice_only src 10.10.20.9
acl splice_only src 192.168.0.13

# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump peek bump_step2 splice_only
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump splice bump_step3 splice_only
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}

and save the changes. (bold)

3. Next in Services: Web Proxy: Administration, just hit apply.

Now you should have full SSL inspection everywhere, expect on clients in the 10.10.10.0/24 network or single IPs like 10.10.20.9 and 192.168.0.13 which only get spliced, so they don't need a cert to be installed and thus have no cert errors.

Hope someone will find this useful, maybe a dev can make this as an option in the WebGUI of the Web Proxy.

Thanks

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2