Parent Proxy Opnsense

[AC]

Update1: added URL Regex & destination IP

Hey folks,
I configured the Webproxy with a ParentProxy and I'm here to share my experiences with that.

The WebGui does not have an option to define a ParentProxy, so we need to dig deeper:

First of all, there are two directorys:
/usr/local/etc/squid/pre-auth
/usr/local/etc/squid/post-auth

Here I'm using the pre-auth folder. In that folder you need to create a file with .conf ending. Without that file ending the Proxy won't use the config.
I created a file namend ParentProxy.conf ; everything with qoutes needs to be set properly and without the quotes:

# cache_peer: here we set the ParentProxy as URL or IP
cache_peer "ExamplePeer" parent 8080 0 no-query default

#acl for destinationdomains to use our ParentProxy
# the point before the URL means, that every subdomain will also be sent to the ParentProxy
acl "NameOfACLdomain" dstdomain .com .org .local host1.any.domain
#ACL IP List
acl "NameOfACLIP" dst 10.193.100.5
#ACL urlregex
acl "NameOfACLregex" url_regex server1 http://server2.dings

#Now we define the Access, change the "ExamplePeer" to whatever you named your ParentProxy cache_peer
# the first line says: every URL in the defined ACL is going to the ParentProxy
# second line: everything else (not listed in ACL) will not go to the ParentProxy
cache_peer_access "ExamplePeer" allow "NameOfACLdomain"
cache_peer_access "ExamplePeer" allow "NameOfACLIP"
cache_peer_access "ExamplePeer" allow "NameOfACLregex"
cache_peer_access "ExamplePeer" deny !"NameOfACLdomain"
cache_peer_access "ExamplePeer" deny !"NameOfACLIP"
cache_peer_access "ExamplePeer" deny !"NameOfACLregex"

# I'm not sure if that is really needed:
# Here you can define which Domains should not go to the ParentProxy (I choosed our internal Domain)
cache_peer_domain !.internal.domain

#we need to use the never_direct allow directive:
never_direct allow "NameOfACLdomain"
never_direct allow "NameOfACLIP"
never_direct allow "NameOfACLregex"


Maybe that helps configuring a ParentProxy

AC

[franco]

Hi AC,

Thank you for this. I've made it sticky in this forum. There was a question about this once or twice. If enough people want this, we can talk about integrating it into the GUI in a reasonable way.


Cheers,
Franco

[fabian]

@franco - I may need that some day to route *.onion to the Tor plugin however this is very low priority.

[AC]

Hey franco,

that's why i wrote it down here in easy. I read the other threads about that and instructions weren't that clear.

[tillsense]

Hi all,

... If enough people want this...

want it 

cheers till

[franco]

And so the next step is.... a GitHub ticket


Cheers,
Franco

[AC]

I made a ticket - my first Githubticket ever - hope that's correct that way.

https://github.com/opnsense/core/issues/2068

[franco]

Looks good, thank you. I've tagged it "help wanted" for now, let's see if anyone takes the bait.


Cheers,
Franco

[mimugmail]

I dont see a reason for putting it preauth. Shouldnt it be after autentication?

[tillsense]

@mimugmail
No the network options always come first.

I always look that after parsing at OPNsense this sequence remains: yes, ancient
http://www.squid-cache.org/mail-archive/squid-users/200203/att-0514/squid.conf

In the FAQ, there is little information but this is probably important here:

Only ONE proxy cache in a chain is allowed to "use" the proxy authentication...

https://wiki.squid-cache.org/SquidFaq/SquidAcl#Proxy-authentication_and_neighbor_caches


Here are some old links:
https://forum.opnsense.org/index.php?topic=3345.0
https://forum.opnsense.org/index.php?topic=3833.0

cheers till

[mimugmail]

I did some templating which generates this, but it doesn't seem to work (does not use parent)
Any idea why?


root@OPNsense:~/core # cat /usr/local/etc/squid/pre-auth/parentproxy.conf
cache_peer 10.24.66.3 parent 8080 0 no-query default
acl ExcludePPDomains dstdomain test.de bla.de
acl ExcludePPIPs dst 1.1.1.1 2.2.2.2
cache_peer_access 10.24.66.3 deny ExcludePPDomains
cache_peer_access 10.24.66.3 deny ExcludePPIPs
cache_peer_access 10.24.66.3 allow all
never_direct allow ExcludePPDomains
never_direct allow ExcludePPIPs
never_direct deny all

[mimugmail]

OK, fixed it, now it's open for review

[franco]

Bad news: this topic is no longer sticky.

Good news: parent proxy feature is available in OPNsense since 19.1.