English Forums > Web Proxy Filtering and Caching

Filtering without ssl inspection?

(1/3) > >>

isoellias:
Hello,
I need some tips to solve a problem.

I want to exit PFSense and go to OPNSense
But I have the following difficulty:

I want to configure the proxy with external content filter, so far so good!
I would like OPNSense to perform the inspection of the HTTP cache filter, however, only executes the https filter (without cache and inspection) in transparent mode.

PFSense does it! Is it possible in OPNSense?

Thankful!

ruggerio:
hi,

I am not 100% sure, if i understood you. You want http inspected, but https only filtered based on e.g. urls/headers?

For filtering, see manual here: https://docs.opnsense.org/manual/how-tos/proxywebfilter.html

If you don't want the proxy to ssl intercept all traffic, but filter based on url, check also https://docs.opnsense.org/manual/how-tos/cachingproxy.html

When enabling SSL, also enable SNI-Verification. In that case, squid would filter the url's also in https. But squid would not "read" the encrypted traffic.

isoellias:
Hello Friend,
Sorry if my English is not clear.
That's right, but in transparent mode.
See my scenario:

In my case, the gateway is the network "firewall/proxy" itself, so I use transparent mode.

1st CASE:
I have several types of devices on the internal network. PCs, MACs, SmartPhones. And within each of these, applications that do not support redirecting to the proxy. So transparent mode is the output.

2nd CASE:
When I enable transparent mode, I have another problem, if I have ssl inspection, I must install certificate on every device on the network (HORRIBLE).

So,
HTTP -> caching, antivirus, etc ... Works well over transparent mode;
HTTPS -> so that there is no certificate installation, use SNI;

Server Name Indication (SNI)
Would SNI work for this scenario?
(Traffic https (filtered over header) on transparent mode and without having to install certificate on client)?

The references you submitted above do not tell you where to live SNI.

Obrigado.

axiom9:
Hello,

I have been looking for this option too in OPNsense! That is the only reason why I stay with pfSense.. All I have to do in pfSense to get this working is to select Splice All in SSL/MITM Mode in squid configuration. With that option,  filtering of ssl site will not require to install a cert on all clients on network..

I wish this was implemented in OPNsense. I know, OPNsense do not use squidguard and don't exactly work the same way for filtering url..  I just wish I could do the same thing.

fabian:
You can, but the option has a silly name but it is also on the TLS page. As far as I can remember it is called 'Log SNI information only'

Navigation

[0] Message Index

[#] Next page

Go to full version