Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
Transparent proxy - bypass for some LAN IPs
« previous
next »
Print
Pages: [
1
]
Author
Topic: Transparent proxy - bypass for some LAN IPs (Read 16348 times)
emilio.b
Newbie
Posts: 20
Karma: 1
Transparent proxy - bypass for some LAN IPs
«
on:
June 28, 2016, 04:41:32 pm »
Hello all
i've setup a transparent proxy with both HTTP and SSL and all seems ok there.
Then i've put some domains in the 'SSL no bump sites' in order for these sites being passed trought the proxy.
Now i have a monitoring host (nagios) in my LAN which talks to many external (monitored) hosts on the standard 443 port. I would like to just add the nagios's IP address in a way that the proxy just leave this IP untouched, instead to add a very long list of external IPs in the 'SSL no bump sites' list.
Is it possible?
If so where are the settings in the web gui?
I've already tried out some settings in the Forward proxy > ACL but that settings (Unrestricted IP addresses) seems to just have to do with IP addresses (as stated by label) and nothing on the SSL side.
TIA
emilio
«
Last Edit: June 29, 2016, 02:48:10 pm by emilio.b
»
Logged
Julien
Hero Member
Posts: 666
Karma: 33
Re: Transparent proxy - bypass for some LAN IPs
«
Reply #1 on:
June 30, 2016, 10:42:19 am »
go to proxy server , forward proxy , access control list. unrestricted ip addresses.
Logged
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023
emilio.b
Newbie
Posts: 20
Karma: 1
Re: Transparent proxy - bypass for some LAN IPs
«
Reply #2 on:
June 30, 2016, 11:03:48 am »
thanks jamerson,
i've already tried that (see original post).
anyway i re-tried what you've suggested to double-check.
unfortunately this didn't do the trick and even if i put the LAN IP of my nagios host in the unrestricted IP, i've got this error trying connecting to the destination host:
The following error was encountered while trying to retrieve the URL:
https://idrac/
*
Failed to establish a secure connection to xxx.xxx.xxx.xxx
The system returned:
(92) Protocol error (TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
Self-signed SSL Certificate: /C=US/ST=Texas/L=Round Rock/O=Dell Inc./OU=Remote Access Group/CN=idrac/emailAddress=support@dell.com
This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.
Your cache administrator is admin@localhost.local.
what i need is a way to bypass SSL bumping (not proxy) for a given host(s) on my network.
TIA
emilio
Logged
Julien
Hero Member
Posts: 666
Karma: 33
Re: Transparent proxy - bypass for some LAN IPs
«
Reply #3 on:
June 30, 2016, 11:08:25 am »
just curious, have you configured the local cash ? and SSL transparant for the proxy ?
i've noticed you have always to restart the proxy services after making some changes.
i am using the software for two days now. and i love it so far.
Logged
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023
emilio.b
Newbie
Posts: 20
Karma: 1
Re: Transparent proxy - bypass for some LAN IPs
«
Reply #4 on:
June 30, 2016, 06:06:02 pm »
thanks for your answer,
yes i've configured both HTTP and HTTPS for transparent proxy.
i've also tried out to stop and restart the proxy service to no avail in my case.
emilio
Logged
Julien
Hero Member
Posts: 666
Karma: 33
Re: Transparent proxy - bypass for some LAN IPs
«
Reply #5 on:
June 30, 2016, 06:23:47 pm »
as I see you did not create a certificate for the proxy, you are using the only self signed one.
are you sure you've configured it according to the documentation with the ssl https ssl ?
Logged
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023
emilio.b
Newbie
Posts: 20
Karma: 1
Re: Transparent proxy - bypass for some LAN IPs
«
Reply #6 on:
July 01, 2016, 09:25:37 am »
hello jamerson,
yes i've configured a self signed cert for the proxy according to man pages.
then i've imported the cert in the browsers i've usually need to surf the internet and in the OS for some additional apps.
So if i'm not wrong, i should import the same cert in the nagios machine in order to get the correct behaviour.
What i don't understand here is why the Unrestricted IP address seems not to work, or maybe it is not the correct field in my specific case to fill up.
TIA
emilio
Logged
Julien
Hero Member
Posts: 666
Karma: 33
Re: Transparent proxy - bypass for some LAN IPs
«
Reply #7 on:
July 01, 2016, 05:24:53 pm »
hi Emilio,
I am using the device now for over 3 days , and have configured it the proxy and also the unrestricted IP and even I use the domain name of the machine and it works fine.
I am sure you misstep some configuration.
Logged
OPNsense 23.1.7_3-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023
emilio.b
Newbie
Posts: 20
Karma: 1
Re: Transparent proxy - bypass for some LAN IPs
«
Reply #8 on:
July 04, 2016, 02:42:53 pm »
thank you jamerson for your time.
i've double checked all setting and attached some screenshots.
If the Unrestricted IP means that ALL traffic from origin to destination is left untouched from the transparent proxy, including SSL bumping, then probably i have some strange behaviour here because it works for some IPs while for others not at all.
I try to sketch-up the whole thing with trasparent proxy + SSL proxy:
nagios (LAN) check host1 on port 4444 > opnsense > WAN > monitored host1 (https port 4444) THIS IS OK
nagios (LAN) check host2 on port 443 > opnsense > WAN > monitored host2 (https port 443) THIS IS BLOCKED
The block error (from proxy) is the one i've already pasted in previous message.
TIA
emilio
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Transparent proxy - bypass for some LAN IPs
«
Reply #9 on:
July 06, 2016, 09:01:00 am »
Hi emilio,
can you add this host also to the "SSL no bump sites" as this looks like the ssl handshake fails.
Can you then connect to it and open it with a browser and check which cryptographic algorithms are used?
Logged
emilio.b
Newbie
Posts: 20
Karma: 1
Re: Transparent proxy - bypass for some LAN IPs
«
Reply #10 on:
July 06, 2016, 06:52:47 pm »
hello Fabian,
unfortunately this doesn't solve the problem.
as i said, the strange thing is that the https/SSL connections from the nagios host to other external hosts on ports other than 443 (ie port 444) works as aspected.
So i've made a little experiment here with the Allowed destination ports (proxy ACL advanced settings).
Please review the attached screenshots: _3 and _4.
Removed the default 443:https port and place the 444:https port instead.
In this condition the nagios connection on port 443 fails but now with the Acces denied message (as espected i think), while nagios connection on port 444 works OK.
Than removed all 444:https settings from both TCP and SSL ACL's proxy fields and leave it blank without the default 443 settings.
In this condition the nagios host has THE SAME behaviour as above, with failed 443 connections and working 444 connections even if there are no apparent settings that permit such thing.
It seems to me that there is some hardcoded parameter over there or maybe i need some more help...
TIA
emilio
«
Last Edit: July 07, 2016, 10:53:59 am by emilio.b
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.1 Legacy Series
»
Transparent proxy - bypass for some LAN IPs