English Forums > Web Proxy Filtering and Caching

ACL > Whitelist not not considered when using Remote ACL

(1/4) > >>

t.mayer:
I have configured the OPNsense-Webproxy with shallalist as Remote ACL.
For some exceptions i always used the Whitelist under Access Control List > Whitelist.
When i try to open a domain blocked by shallalist-category but with a corresponding entry in the whitelist, the domain still will be blocked.

Version of OPNSense: 19.7.8

Forward-Proxy-Config:
- Interface: LAN
- Port: 3128 / SSL: 3129
- Transparent http-Proxy
- SSL inspection
- SNI only

Thanks for your help!

Greeds
Tom

t.mayer:
May I ask again if there is anybody with an idea?

Amr:
Weird works for me, try adding a wild card for the domain aka add a "." before domain name ex: .whatsapp.net and stopping and restarting the service.

Check the certificate of the domain for aliases and try adding them, check logs to see if the website is trying to reach another domain for grabbing  code or something.

Since you are using sni logging only it shouldn't be a problem but try adding the domain in the no bump sites list.

t.mayer:
@Amr: Thanks for your answer.

The problem to me still exists.
I found out that it has to do something with the ssl/sni-only-settings.

Here is what i have tested:

* Remote-ACL: Shallalist with only one aktive category: socialnet
* URL for testing: instagram.comCase 1: No Entry in ACL-Whitelist
Setting Browser to use Proxy-Port 3128
> instagram.com can't be reached
> functioning as expected

Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
> functioning as expected

Case 2: Entry in ACL-Whitelist: instagram.com
Setting Browser to use Proxy-Port 3128
> instagram.com can be reached
> functioning as expected

Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
> BUG?
> instagram.com as entry in SSL no bump sites has also no effect on this

Hopefully my description is understandable.

Greeds
Tom

Amr:
From your description

--- Quote ---Setting Browser to not use Proxy (Proxy now transparent via SSL/SNI only)
> instagram.com can't be reached
--- End quote ---
 
I assume there's a problem with NAT port forwarding so did you set it up properly? (attach a pic of your rules)

If NAT is not the problem can you access other websites? (after setting 'no proxy' in browser)

If you can access other websites what kind of error does the proxy return?

Navigation

[0] Message Index

[#] Next page

Go to full version