Web Proxy SSL No Bumb eg. Wifi Guests

[Bismarck]

Long time lurker, first time poster.

Coming from pfSense to OPNSense, still trying making things to how I'm used to. In pfSense there is a option in Squid, where you can enable SSL inspection with custom config, which let you do things like SSLBump on the LAN interface and just Splice on the WIFI interface. So you don't get TLS errors about brocken certificates and so on, but sill maintain a layer of protection with SNI and acl blacklisting.

Unfortunately in OPNSense there is no such option for the Web Proxy, but with a little tinkering I figured out how to make it here work as well.

We need to modify one file, which maybe get overwrite on updates, but any way here we go:

1. In Services: Web Proxy: Administration, enable Enable SSL inspection apply.

2. You need to edit /usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf

from

# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"

# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}

to

# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
acl splice_only src 10.10.10.0/24
acl splice_only src 10.10.20.9
acl splice_only src 192.168.0.13

# configure bump
{% if helpers.exists('OPNsense.proxy.forward.sslurlonly') and OPNsense.proxy.forward.sslurlonly == '1' %}
ssl_bump peek bump_step1 all
ssl_bump splice all
ssl_bump peek bump_step2 all
ssl_bump splice bump_step3 all
ssl_bump bump

{% else %}
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump peek bump_step2 splice_only
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump splice bump_step3 splice_only
ssl_bump stare bump_step2
ssl_bump bump bump_step3
{% endif %}

and save the changes. (bold)

3. Next in Services: Web Proxy: Administration, just hit apply.

Now you should have full SSL inspection everywhere, expect on clients in the 10.10.10.0/24 network or single IPs like 10.10.20.9 and 192.168.0.13 which only get spliced, so they don't need a cert to be installed and thus have no cert errors.

Hope someone will find this useful, maybe a dev can make this as an option in the WebGUI of the Web Proxy.

Thanks

[errored out]

Do these settings remain after a reboot?  I can not remember at the moment, but I came across a thread stating not to make changes to the templates.  Once the server starts/reboots, all the changes in the template(s) will revert back to their original configurations.

I not 100% on this, but it may help.
https://forum.opnsense.org/index.php?topic=6516.msg27986#msg27986

[Bismarck]

Do these settings remain after a reboot?

Yes they do if you edit the template files in

/usr/local/opnsense/service/templates/OPNsense/Proxy/

files in

/usr/local/etc/squid

will not, but a os-web-proxy update will overwrite them here as well.

I not 100% on this, but it may help.
https://forum.opnsense.org/index.php?topic=6516.msg27986#msg27986

Unfortunately, in this case it will not work.

[Bismarck]

There is a way, where your edits will survive a plugin/system update:

https://docs.opnsense.org/development/backend/templates.html

Still it would be 1000 times better, to have this in the WebGUI as an option.