Transparent proxy with SSL

[samnet]

Dear All
I know this has been asked before but no one actually compared the transparent SSL mode that PFSense has where there is no need to add the CA in every client and can do transparent SSL with no extra install on each client.
How can we achieve this transparent SSL proxy without touching CA?

[Fright]

Hi!
Can you please give more info about "transparent SSL mode that PFSense has where there is no need to add the CA in every client"?

[siga75]

hmmmm how can you do transparent SSL proxy without using a CA for which you have the private key?

[samnet]

Hi!
Can you please give more info about "transparent SSL mode that PFSense has where there is no need to add the CA in every client"?

of course there is splice option which I cant find it in opnsense.

[samnet]

hmmmm how can you do transparent SSL proxy without using a CA for which you have the private key?

forget this method, I just want to control url access even via https

[Fright]

of course there is splice option which I cant find it in opnsense.

ssl_bump is there
/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf:
..
# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}
..

OPNsense.proxy.forward.sslurlonly is "Log SNI information only" flag in Forward Poxy GUI

[Fright]

forget this method, I just want to control url access even via https

and no. you can  not view requested url (if you mean exactly full url) without mitm. only tcp info, tls hello and sni info (if any).

[samnet]

forget this method, I just want to control url access even via https

and no. you can  not view requested url (if you mean exactly full url) without mitm. only tcp info, tls hello and sni info (if any).

Im still not getting this right, do you mean its impossible to see full URLs without MITM?
is this a no go area at all?
I recall splice option in pfsense which used to slightly control https to some extend, is there a splice option in opnsense?

[Fright]

Im still not getting this right, do you mean its impossible to see full URLs without MITM?

no you can not view requested url (if you mean exactly full url) without mitm

is there a splice option in opnsense?

yes
see template 2 posts above
1st part for " Log SNI information only"  - splice
2nd - decode - bump
https://wiki.squid-cache.org/Features/SslPeekAndSplice

[samnet]

thanks for clarification.
can you pls suggest any way for controlling URL access in a network with 100 desktops / laptops / mobiles many of them logging via Active Directory win2012

[Fright]

its realy about company policy and client software requirements\restrictions imho
squid (transperent or via proxy settings via group policy or autoconfig) with or without kerberos auth with or without ssl-inspection (of course, if url control is needed, then ssl-inspection is required). all will work with pros and cons. it all depends on your imagination )
100 clients is not a big load. everything should work well

[pmhausen]

thanks for clarification.
can you pls suggest any way for controlling URL access in a network with 100 desktops / laptops / mobiles many of them logging via Active Directory win2012

Get an AD integrated Proxy product, force proxy via group policy, deny Internet access for everyone but proxy on OPNsense.

[fabian]

Get an AD integrated Proxy product, force proxy via group policy, deny Internet access for everyone but proxy on OPNsense.

Squid can handle Windows Login if needed.