Plugin: www/OPNProxy does not block anything

seed · February 28, 2025, 11:10:41 PM

Hello All,

i configured OPNproxy as described in the docs:
https://docs.opnsense.org/manual/opnproxy.html

And it looks like it does not work. The policy testing looks fine. When i generate some testrule that blocks anything and restart squid i expect everything to work.

Code Select

curl https://spiegel.de/ -k -U proxyuser:userpassword -x http://proxy.internal.domain.tld:3128 -L --proxy-anyauth
This should not return the webpage. But still it does and the rwquest is logged in the accesslog as usual.
Also running configctl opnproxy sync_users or configctl opnproxy apply_policies does not make a difference.

I also opened this issue.
https://github.com/opnsense/plugins/issues/4565

I checked my config multiple times and hope that i made a mistake. But it looks like due to this issue all of my servers are now allowed to browse the web without any blocking. Using this plugin want to allow only access to certain updateservers. This was working in the past.

Could it be due to a squid version change?

seed · March 01, 2025, 02:34:38 PM

Also reinstalling the system did not work.
The interesting this is also that the authenticated user is not logged in the accesslog.

seed · March 03, 2025, 09:22:36 PM

After doing some testing i discovered that blocking HTTP like: "http://opnsense.org" works as expected. But HTTPs does not. For example "https://opnsense.org", which also should be blocked by the "*" rule doesnt work. HTTPs content can be browsed.

Patrick M. Hausen · March 03, 2025, 09:25:12 PM

Did you set up a transparent proxy? Did you enable SSL inspection? Are you aware of the constraints SSL inspections brings?

seed · March 03, 2025, 09:30:14 PM

Hello Patrick,

Im not using a transparent Proxy, i use SSL inspection. My CA is installed on my clients. Squid logs all requests (HTTP/HTTPs).

"Are you aware of the constraints SSL inspections brings?"
Which constraints beside the local CA deployment work?

seed · March 03, 2025, 09:31:26 PM

The squid proxy config itself works as expected.

But i have problems with the www/OPNproxy plugin.

Patrick M. Hausen · March 03, 2025, 09:35:12 PM

Quote from: seed on March 03, 2025, 09:30:14 PMWhich constraints beside the local CA deployment work?

I meant exactly the local CA deployment. Many people don't quite understand how SSL works and expect filtering by "magic".

Sorry, I have no practical experience with the proxy, just wanted to ask if you checked the obvious things. So with that out of the way someone else will have to take over.

seed · March 03, 2025, 09:40:06 PM

I hope Ad will take a look at the issue on github.

Plugin: www/OPNProxy does not block anything

seed

February 28, 2025, 11:10:41 PM Last Edit: March 03, 2025, 09:32:39 PM by seed

seed

March 01, 2025, 02:34:38 PM #1

seed

March 03, 2025, 09:22:36 PM #2

Patrick M. Hausen

March 03, 2025, 09:25:12 PM #3

seed

March 03, 2025, 09:30:14 PM #4

seed

March 03, 2025, 09:31:26 PM #5

Patrick M. Hausen

March 03, 2025, 09:35:12 PM #6 Last Edit: March 03, 2025, 09:41:55 PM by Patrick M. Hausen

seed

March 03, 2025, 09:40:06 PM #7