Squid Proxy | Allow only specific domains - block all others

[bpill]

Hello there!

i im trying to configure the squid web proxy to achieve the following goals:
- Transparent proxy (Gateway on the Clients is set to the opnesense ip)
- Block everything by default (HTTPS/HTTP)
- Allow specific domains only (HTTPS/HTTP)

I managed to configure the system
- "Enable Transparent HTTP proxy" -> true
- "Enable SSL inspection" -> true
- "Log SNI Information only" -> true
- "Ca to use" -> created and imported on th eclients
- "SSL no bump sites" currently empty
- NAT Rules to the proxy are created
- ACL: "Whitelist" contains only "nuget.org"
- ACL: "Blacklist" contains ".*" to block everything


The Problem:
If i open https://nuget.org i will get the message:
"The following error was encountered while trying to retrieve the URL: https://172.183.192.203/* Access Denied."
I do not understand why it would ?redirect? to the ip instead the hostname?
If i remove the ".*" from the blacklist it works.

What am i doing wrong? Is there another better way?

Thanks!
Benjamin

[bpill]

No one? :)

[Monviech (Cedrik)]

You can do the same way simpler and lightweight with dnsmasq as alternative:

https://docs.opnsense.org/manual/dnsmasq.html#firewall-alias-ipset

[bpill]

Thanks @Monviech

This would still allow connections to IP adresses i guess?

[Monviech (Cedrik)]

It depends on the firewall rules you create for the alias.

[bpill]

ok. Just to be clear: What we want to achieve is not possible using the web proxy feature?

[Monviech (Cedrik)]

What you want is most likely possible with a web proxy, but at a much higher performance and complexity cost.

The simplest would be a DNS filter (Unbound) or a Firewall Rule based filter (Dnsmasq).

Just giving alternatives, I am not a pro at squid so I cannot help with it much.

[bpill]

I appreciate your advice :)