Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - hv-tech

Pages: [1] 2

Web Proxy Filtering and Caching / Re: Problems with Squid Proxy SSLi after reinstall - config from backup

« on: March 07, 2023, 09:30:06 pm »

Okay silly me, I reapplied the cert to the trust area and it works now. Must have added the wrong cert originally. Thanks for the help Fright, another head helped for this.

Web Proxy Filtering and Caching / Re: Problems with Squid Proxy SSLi after reinstall - config from backup

« on: March 07, 2023, 06:51:30 pm »

Simple Windows manual proxy configuration.

Web Proxy Filtering and Caching / Re: Problems with Squid Proxy SSLi after reinstall - config from backup

« on: March 07, 2023, 06:43:01 pm »

Same problem on a different PC. Nothing has been changed on the end points. Just the reinstall of Opnsense.

Web Proxy Filtering and Caching / Re: Problems with Squid Proxy SSLi after reinstall - config from backup

« on: March 07, 2023, 06:38:33 pm »

I have another machine that I can test with, I'll give it a try.

Web Proxy Filtering and Caching / Re: Problems with Squid Proxy SSLi after reinstall - config from backup

« on: March 07, 2023, 05:56:40 pm »

Screenshot attached:

Web Proxy Filtering and Caching / Re: Problems with Squid Proxy SSLi after reinstall - config from backup

« on: March 07, 2023, 05:55:47 pm »

Your right it is, but it doesn't seem to want to hit that port.

Web Proxy Filtering and Caching / Problems with Squid Proxy SSLi after reinstall - config from backup

« on: March 07, 2023, 04:55:33 pm »

Hi Forum,

So I recently had to rebuild my Opnsense box, and redeployed the backed up config. Everything is find except the Squid proxy.. So proxy works unless I use SSLi. I did everything that anyone might think of, reinstall squid packages (from the GUI) redeploy the SSL Cert for SSLi, tried a different interface. Nothing works, anyone have any ideas?

Posted are the 'cache logs'.
2023-03-07T10:52:11       squid   kid1| ERROR: failure while accepting a TLS connection on conn163 local=172.16.10.1:3128 remote=172.16.10.6:1180 FD 17 flags=1: 0x81cd39680*1
2023-03-07T10:52:11       squid   kid1| ERROR: failure while accepting a TLS connection on conn162 local=172.16.10.1:3128 remote=172.16.10.6:1179 FD 13 flags=1: 0x81cd39680*1
2023-03-07T10:52:10       squid   kid1| ERROR: failure while accepting a TLS connection on conn156 local=172.16.10.1:3128 remote=172.16.10.6:1178 FD 13 flags=1: 0x81cd39680*1
2023-03-07T10:52:10       squid   kid1| ERROR: failure while accepting a TLS connection on conn150 local=172.16.10.1:3128 remote=172.16.10.6:1177 FD 13 flags=1: 0x81cd39680*1
2023-03-07T10:52:10       squid   kid1| ERROR: failure while accepting a TLS connection on conn144 local=172.16.10.1:3128 remote=172.16.10.6:1176 FD 13 flags=1: 0x81cd39680*1
2023-03-07T10:52:09       squid   kid1| ERROR: failure while accepting a TLS connection on conn138 local=172.16.10.1:3128 remote=172.16.10.6:1175 FD 13 flags=1: 0x81cd39680*1
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn132 local=172.16.10.1:3128 remote=172.16.10.6:1174 FD 13 flags=1: 0x81cd39680*1
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn126 local=172.16.10.1:3128 remote=172.16.10.6:1173 FD 17 flags=1: 0x81cd39680*1
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn79 local=172.16.10.1:3128 remote=172.16.10.6:1164 FD 19 flags=1: 0x81cd39680*1
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn120 local=172.16.10.1:3128 remote=172.16.10.6:1172 FD 13 flags=1: 0x81cd39680*1
            listening port: 172.16.10.1:3128
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn90 local=172.16.10.1:3128 remote=172.16.10.6:1171 FD 36 flags=1: 0x81cd3a940*1
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn81 local=172.16.10.1:3128 remote=172.16.10.6:1166 FD 22 flags=1: 0x81cd3a940*1
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn78 local=172.16.10.1:3128 remote=172.16.10.6:1163 FD 17 flags=1: 0x81cd3a940*1
2023-03-07T10:52:08       squid   kid1| ERROR: failure while accepting a TLS connection on conn75 local=172.16.10.1:3128 remote=172.16.10.6:1160 FD 13 flags=1: 0x81cd3a4c0*1

Zenarmor (Sensei) / Re: Using Zenarmor and Squid proxy inline

« on: February 17, 2023, 10:56:34 pm »

Hey SY,

Any update on this? Any bug found in the logs I sent?

Zenarmor (Sensei) / Re: Using Zenarmor and Squid proxy inline

« on: January 26, 2023, 05:39:44 pm »

Logs sent under "Proxy doesn't blocked on App Control."

Zenarmor (Sensei) / Re: Using Zenarmor and Squid proxy inline

« on: January 24, 2023, 08:30:43 pm »

Correct, applications are not blocked when proxy is active.

Zenarmor (Sensei) / Re: Using Zenarmor and Squid proxy inline

« on: January 23, 2023, 07:50:53 pm »

So I attached a screenshot, the last logs were without proxy enabled, as you can see the logs on top are with Web controls enable since without it enabled and App controls enabled only just goes right pass the filter/control.

I would say no its not shown or processed correctly with proxy enabled. So application categories don't seem to work with proxy currently. I wonder if this is something that could be fixed?

Zenarmor (Sensei) / Re: Using Zenarmor and Squid proxy inline

« on: January 02, 2023, 06:10:34 am »

Alright so after some testing, it seems it does work, well 50/50%. So the blocks do not work when I set configurations in "App Controls" but they do when I completely configure a block in "Web Controls"

That all being said, technically "App Controls" should work but don't. What else can I check to understand why blocking doesn't work in "App Controls"?

Zenarmor (Sensei) / Using Zenarmor and Squid proxy inline

« on: December 27, 2022, 10:58:56 pm »

Hi ALL,

I can't help but notice that when using Web Proxy in Opnsense that it completely bypasses Zenarmor since it sees my hosts connecting to the destination which is the LAN interface hosting Squid Proxy. I am not sure if there is a setting on the Zenarmor or Proxy side a way to parse the data coming from source being the LAN interface and dest is whatever the proxy is connecting to?

It would be nice if the WAN interface was selectable since I am sure it would capture from LAN out during proxy options.

General Discussion / Re: HAproxy not starting after upgrading firmware

« on: December 22, 2022, 05:45:30 pm »

You are 100% correct, I guess I didn't understand before. So removing all other entries and adding a external binding of 0.0.0.0/24 worked. Thanks so much for the help!

General Discussion / Re: HAproxy not starting after upgrading firmware

« on: December 20, 2022, 05:46:21 pm »

Here is my config.

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin expose-fd listeners
nbproc 1
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log 172.16.10.6:514 local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua

defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc

# autogenerated entries for ACLs

# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# Resolver: HV-DNS
resolvers 60d520816d7b32.78243365
nameserver 8.8.8.8:53 8.8.8.8:53
parse-resolv-conf
resolve_retries 3
timeout resolve 1s
timeout retry 1s

# Frontend: External-Pub ()
frontend External-Pub
bind ctlgmon01.hvnoclabs.com:443 name ctlgmon01.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
bind ctauth02.hvnoclabs.com:443 name ctauth02.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
bind ctitools01.hvnoclabs.com:443 name ctitools01.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
bind ctlgmon02.hvnoclabs.com:443 name ctlgmon02.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
bind ctcoms01.hvnoclabs.com:443 name ctcoms01.hvnoclabs.com:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 alpn h2,http/1.1 crt-list /tmp/haproxy/ssl/6121ccbe699ab8.48952667.certlist
mode http
option http-keep-alive
# tuning options
timeout client 30s
# stickiness
stick-table type ip size 50k expire 30m
tcp-request connection track-sc0 src
# logging options
option httplog
# ACL: Netbox
acl acl_60dea475186677.51330295 hdr(host) -i ctitools01.hvnoclabs.com
# ACL: Graylog
acl acl_61208941d9bf35.04710772 hdr(host) -i ctlgmon01.hvnoclabs.com
# ACL: Keycloak
acl acl_61209978a36e65.49477166 hdr(host) -i ctauth02.hvnoclabs.com
# ACL: Mattermost
acl acl_612d2c6c0e9208.90351294 hdr(host) -i ctcoms01.hvnoclabs.com

# ACTION: Netbox
use_backend External-Netbox if acl_60dea475186677.51330295
# ACTION: Graylog
use_backend External-Graylog if acl_61208941d9bf35.04710772
# ACTION: Keycloak
use_backend External-Keycloak if acl_61209978a36e65.49477166
# ACTION: Zabbix
# NOTE: actions with no ACLs/conditions will always match
use_backend External-Zabbix
# ACTION: Mattermost
use_backend External-Mattermost if acl_612d2c6c0e9208.90351294

# Backend: External-Netbox (Pool to Internet)
backend External-Netbox
option log-health-checks
# health check: Monitoring Profile
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctitools01 172.16.10.11:80 check inter 2s

# Backend: External-Graylog (Pool to Internet)
backend External-Graylog
option log-health-checks
# health check: Monitoring Profile
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctlgmon01 172.16.10.8:443 check inter 2s ssl verify none

# Backend: External-Keycloak (Pool to Internet)
backend External-Keycloak
option log-health-checks
# health check: Monitoring Profile
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctauth02 172.16.10.25:443 check inter 2s ssl alpn h2,http/1.1 verify none

# Backend: External-Zabbix (Pool to Internet)
backend External-Zabbix
option log-health-checks
# health check: Monitoring Profile
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctlgmon02 172.16.10.9:80 check inter 2s

# Backend: External-Mattermost (Pool to Internet)
backend External-Mattermost
option log-health-checks
# health check: Monitoring Profile
option httpchk
http-check send meth OPTIONS uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctcoms01 172.16.10.24:80 check inter 2s

# Backend: External-ctcoms01 (Pool to Internet)
backend External-ctcoms01
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server ctcoms01 172.16.10.75:443

listen local_statistics
bind 127.0.0.1:8822
mode http
stats uri /haproxy?stats
stats realm HAProxy\ statistics
stats admin if TRUE

# remote statistics are DISABLED

Pages: [1] 2