Filtering without ssl inspection?

[isoellias]

Hello,
I need some tips to solve a problem.

I want to exit PFSense and go to OPNSense
But I have the following difficulty:

I want to configure the proxy with external content filter, so far so good!
I would like OPNSense to perform the inspection of the HTTP cache filter, however, only executes the https filter (without cache and inspection) in transparent mode.

PFSense does it! Is it possible in OPNSense?

Thankful!

[ruggerio]

hi,

I am not 100% sure, if i understood you. You want http inspected, but https only filtered based on e.g. urls/headers?

For filtering, see manual here: https://docs.opnsense.org/manual/how-tos/proxywebfilter.html

If you don't want the proxy to ssl intercept all traffic, but filter based on url, check also https://docs.opnsense.org/manual/how-tos/cachingproxy.html

When enabling SSL, also enable SNI-Verification. In that case, squid would filter the url's also in https. But squid would not "read" the encrypted traffic.

[isoellias]

Hello Friend,
Sorry if my English is not clear.
That's right, but in transparent mode.
See my scenario:

In my case, the gateway is the network "firewall/proxy" itself, so I use transparent mode.

1st CASE:
I have several types of devices on the internal network. PCs, MACs, SmartPhones. And within each of these, applications that do not support redirecting to the proxy. So transparent mode is the output.

2nd CASE:
When I enable transparent mode, I have another problem, if I have ssl inspection, I must install certificate on every device on the network (HORRIBLE).

So,
HTTP -> caching, antivirus, etc ... Works well over transparent mode;
HTTPS -> so that there is no certificate installation, use SNI;

Server Name Indication (SNI)
Would SNI work for this scenario?
(Traffic https (filtered over header) on transparent mode and without having to install certificate on client)?

The references you submitted above do not tell you where to live SNI.

Obrigado.

[axiom9]

Hello,

I have been looking for this option too in OPNsense! That is the only reason why I stay with pfSense.. All I have to do in pfSense to get this working is to select Splice All in SSL/MITM Mode in squid configuration. With that option,  filtering of ssl site will not require to install a cert on all clients on network..

I wish this was implemented in OPNsense. I know, OPNsense do not use squidguard and don't exactly work the same way for filtering url..  I just wish I could do the same thing.

[fabian]

You can, but the option has a silly name but it is also on the TLS page. As far as I can remember it is called 'Log SNI information only'

[hbc]

I wish this was implemented in OPNsense. I know, OPNsense do not use squidguard and don't exactly work the same way for filtering url..  I just wish I could do the same thing.

Like fabian already mentioned, turn on "Log SNI information only" and configure your dynamic blacklists under remote blacklists. Then your blacklists are automatically updated and checked against the hostname when SNI header is present.

There will be two log entries per DENY because of transparent interception:

TCP_DENIED/403 3798 CONNECT blacklisted-host.org
NONE/000 0 NONE error:transaction-end-before-headers

[ArminF]

Happy i found this thread..

Had to route 3129 via NAT and FW Rule
Had to create a local CA

Used options
Enable Transparent HTTP proxy
Enable SSL inspection
Log SNI information only (No Cert installation on clients just URL scan)

Worked!!

Thank you very much
A

[riq]

Hey everyone!

I have trouble getting our transparent proxy to work. Even though I have enabled "Log SNI information only", the clients (mobile devices and verious browsers) come up with certificate errors when accessing https websites. In my test setup on virtual machines it is working perfectly, but in the live environment I constantly run into this issue.

I have no idea what is going on...

Help!

Riq

[ArminF]

Maybe check if you did setup a CA even when you don't use it.
Seems to be mandatory to be selected on the SSL option.

At home i switched to DNS Crypt as it provides Blocklists on DNS based answers.
Uses much less resources on the box.

[riq]

Thanks for the input.

I have tried both, with and without CAs... Same result

[ArminF]

ehm... did you reroute the ports to the localhost for SSL as well?

3129 as far i remember. 3128 is for HTTP.

https://docs.opnsense.org/manual/how-tos/proxytransparent.html

[riq]

Of course I set up portforwarding for http and https...

Http works like a charm but for some reason SNI option doesn't for https.

I will post log files tomorrow.

Edit: came to work this morning, activated NAT portforwarding again (pure curiosity) and it worked instantly... Sometimes you should just go home, have a beer or two, go to sleep and next day problems are gone