Plugin: www/OPNProxy does not block anything

[seed]

Hello All,


i configured OPNproxy as described in the docs:
https://docs.opnsense.org/manual/opnproxy.html

And it looks like it does not work. The policy testing looks fine. When i generate some testrule that blocks anything and restart squid i expect everything to work.

Code Select Expand

curl https://spiegel.de/ -k -U proxyuser:userpassword -x http://proxy.internal.domain.tld:3128 -L --proxy-anyauth
This should not return the webpage. But still it does and the rwquest is logged in the accesslog as usual.
Also running configctl opnproxy sync_users or configctl opnproxy apply_policies does not make a difference.

I also opened this issue.
https://github.com/opnsense/plugins/issues/4565

I checked my config multiple times and hope that i made a mistake. But it looks like due to this issue all of my servers are now allowed to browse the web without any blocking. Using this plugin want to allow only access to certain updateservers. This was working in the past.

Could it be due to a squid version change?

[seed]

Also reinstalling the system did not work.
The interesting this is also that the authenticated user is not logged in the accesslog.

[seed]

After doing some testing i discovered that blocking HTTP like: "http://opnsense.org" works as expected. But HTTPs does not. For example "https://opnsense.org", which also should be blocked by the "*" rule doesnt work. HTTPs content can be browsed.

[Patrick M. Hausen]

Did you set up a transparent proxy? Did you enable SSL inspection? Are you aware of the constraints SSL inspections brings?

[seed]

Hello Patrick,


Im not using a transparent Proxy, i use SSL inspection. My CA is installed on my clients. Squid logs all requests (HTTP/HTTPs).

"Are you aware of the constraints SSL inspections brings?"
Which constraints beside the local CA deployment work?

[seed]

The squid proxy config itself works as expected.

But i have problems with the www/OPNproxy plugin.

[Patrick M. Hausen]

Which constraints beside the local CA deployment work?

I meant exactly the local CA deployment. Many people don't quite understand how SSL works and expect filtering by "magic".

Sorry, I have no practical experience with the proxy, just wanted to ask if you checked the obvious things. So with that out of the way someone else will have to take over.

[seed]

I hope Ad will take a look at the issue on github.

[seed]

Is nobody else using access control with https inspection?

I thought I had provided all the information needed to replicate the problem. What can I do to solve the problem?

[mimugmail]

I was also failing with the plugin, it only works if you use Authentication in addition. Notwork-only doesnt work ... no idea why

[seed]

I was also failing with the plugin, it only works if you use Authentication in addition. Notwork-only doesnt work ... no idea why

what do you mean with "Authentication in addition" in my use case all my servers/clients use credentials and authentication is configured in opnsense (local users). Please take a look at the github issue. i included screenshots that show my configuration.

https://github.com/opnsense/plugins/issues/4565


Only HTTP access control works. HTTPs access control does not. Squid does work with https. The CA is installed on the clients. But the user auth is not logged and not send to the access control so the policy doesnt grip.
When using sni-logging https does work also.

IT is NOT a SSL inspection issue itself. Because SSL is processed as usual in squid and also cached. Only the access control part for users and groups does not work in HTTPS.