WEB PROXY + OPNPROXY + SSO something doesn't work in the OPNSense Advanced PROXY

Started by Wuensch-AG-Adm, February 03, 2025, 02:04:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 03, 2025, 02:04:08 PM Last Edit: February 03, 2025, 08:51:54 PM by Wuensch-AG-Adm
Dear OPNSense Community,

We have purchased a DECISO appliance with a Business license to replace our Sophos UTM. We thought that it would be possible to replace the Sophos UTM Webfilter (transparent with LDAP) with the OPNSense plugins (WEB PROXY + OPNPROXY + SSO). But it doesn't work for us right now. The Business plugin OPNPROXY could be the solution. It seems that the plugin cannot work with the SSO plugin. That's really sad. We have setup the Access control but nothing is applied as it should. The policy tester is working, but in reality im browser nothing is filtered. It's like that the OPNPROXY plugin isn't enable or present and I've setup lot of rules. The WEB PROXY is working as it should.
Is it right that this Business plugin cannot work with SSO? (AD)
If yes, I think that's the biggest lack of feature in this plugin. If no, what could I've missed, please?

Thanks ahead,

Regards,

Joel T.
February 07, 2025, 04:05:17 PM #1
I have some news, here. I've tried to activate the proxy in windows with the fqdn and port of the OPNSense and somehow it "works". The problem is that the websites are randomly blocked and I cannot understand which of the rules is triggered, when the website is blocked.
For example... I've put the website of thomas-krenn.com in the whitelist ACL of squid and in the custom whitelist (allow) ACL of the OPNSense Advanced PROXY (os-OPNProxy) and I'm still blocked on the computer where I've setup the proxy in Windows. How it's possible... I don't know.

In the Log (Access Log) I have something like that:
IP - MAC ADDR USERNAME@DOMAIN "GET https://www.thomas-krenn.com/favicon.ico HTTP/1.1" 403 24992 "https://www.thomas-krenn.com/de/wiki/OPNsense_Plugins" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" NONE_NONE:HIER_NONE
IP - MAC ADDR USERNAME@DOMAIN "CONNECT www.thomas-krenn.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE
USERNAME@DOMAIN is in a group in a custom allow rule

Policy tester:
{
  "message": "OK user=\"User\"\n",
  "user": {
    "uid": "User",
    "id": "2020",
    "applies_on": [
      "u:User",
      "g:Group One",
      "g:Group Two"
    ]
  },
  "policy": {
    "action": "allow",
    "policy_type": "fallback"
  }
}




I'm sure that this website isn't in a blacklist.

Is there a possibility to have a log that write which of the rule is triggered?

It's pretty hard to administrate the webfilter like that.

I've followed this to implement the OPNProxy: https://docs.opnsense.org/manual/opnproxy.html
But it seems to be not enough the become that the web proxy will be fully configured.

Thanks ahead.

Joel T.

June 14, 2025, 06:21:51 PM #2 Last Edit: June 14, 2025, 06:47:21 PM by wirehire
Hello Joel,

we also buy a Deciso Appliance. And we also want to you squid as a forward proxy. With the opn-proxy buisness plugin we think, it have the complete function that we want.

But we also dont udnerstodd it full. we try different settings , but we see also policy fallback allow, and dont know where it come from.
we have a * block and test one single site allow, but when we change ip or diffenret , policy falllback allow rule comes.

when we delete custom rules. apply, restart or stop the plugin and start it again, policy tester ,s how the old custom rules and say allow.
how can we clear the cache from the tester?  i though its a buisness solution not , one time its function, one time not.

the wiki is not good for the product. it must have examples for a default buisness like sceneraio with block all, and allow custom different sites.

do you have a final resolution? or can someone thats used the buisness proxy settings , can share pictures?
June 18, 2025, 01:16:37 PM #3
Hello WireShire,

We have disabled the business functionality because it is simply useless to us.
With the new version 25.4.1, we are experiencing even more problems and cannot find a solution ourselves, as there is no useful documentation on this topic.
We are considering using another solution that we can rely on more. I think that this is unfortunately just one example of how the modularity of a solution is not always an advantage.

Quote from: wirehire on June 14, 2025, 06:21:51 PMHello Joel,

we also buy a Deciso Appliance. And we also want to you squid as a forward proxy. With the opn-proxy buisness plugin we think, it have the complete function that we want.

But we also dont udnerstodd it full. we try different settings , but we see also policy fallback allow, and dont know where it come from.
we have a * block and test one single site allow, but when we change ip or diffenret , policy falllback allow rule comes.

when we delete custom rules. apply, restart or stop the plugin and start it again, policy tester ,s how the old custom rules and say allow.
how can we clear the cache from the tester?  i though its a buisness solution not , one time its function, one time not.

the wiki is not good for the product. it must have examples for a default buisness like sceneraio with block all, and allow custom different sites.

do you have a final resolution? or can someone thats used the buisness proxy settings , can share pictures?
June 20, 2025, 08:19:05 PM #4
Hey,

thanks for your answer. Have you open a ticket ? Have the support answer? when not i open a ticket, because , the function when the plugin works like it would be, where the best.Eventuelly they have not become reported the bugs!? Which alternate have you in your mind?

Greets
Print
Go Up Pages1
User actions