Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
SSL/HTTPS Transparent Proxy
« previous
next »
Print
Pages: [
1
]
Author
Topic: SSL/HTTPS Transparent Proxy (Read 9990 times)
stewconsult
Newbie
Posts: 5
Karma: 1
SSL/HTTPS Transparent Proxy
«
on:
September 15, 2016, 10:20:55 pm »
I am on newest opnsense ver 16.7.3 and am a newbie. Transparent proxy is setup for HTTP but not yet for HTTPS due to all the warnings about man in the middle. I would like to do HTTPS proxy filtering with transparent but have questions...
1. Will all browsers give cert errors until I give them a cert to install? What if I buy a cert through a trusted public CA?
2. If I enable the "SSL Domain/IP only" setting under the general forward proxy settings, will the certificates still be required for access? I understand no filtering will be done here, so maybe no need for certs?
Logged
jschellevis
Administrator
Full Member
Posts: 156
Karma: 37
Re: SSL/HTTPS Transparent Proxy
«
Reply #1 on:
September 16, 2016, 09:02:34 am »
Well you already found the two options.
If you go for the standard option as descibed in the docs, then the proxy will get the page content and sign it with its own certificate. This will always generate an alert on the browser as the certificate is not valid for the domain in question. (unless you import the certificate into your system/browser).
As for getting a cert, you would need a root signing certificate. With a root signing certificate, you essentially become your own certificate authority and you can issue certificates that are trusted by browsers/clients. This is not possible as that would undermine the security of the internet if everyone could get such a cert. Only certified organisations have such a siging cert. In short, not an option.
If you only want to use the ACL's for filtering IP's and domains then you can go for the second options and enable "SSL Domain/IP only". This way the ssl connect can be blocked so your browser is not able to establish a connection to those domains or IP's. However with this option the proxy is not aware of the content of the web data/page so it can't block based on the full urls.. it simply doesn't know what you are requesting only the ip or domain.
Simply put you can block
www.cnn.com
but you can't block
https://www.cnn.com/test.html
or anything on that page such as mypicture.jpg
Logged
Reiter der OPNsense
Full Member
Posts: 115
Karma: 11
Re: SSL/HTTPS Transparent Proxy
«
Reply #2 on:
September 16, 2016, 12:41:14 pm »
Hi,
I tried to use "SSL Domain/IP only", but it does not work for me. See the error logs in this thread:
https://forum.opnsense.org/index.php?topic=3644.0
I suspect it has to do with a squid security feature, mentioned here:
http://wiki.squid-cache.org/KnowledgeBase/HostHeaderForgery
but I do not know how I can solve the problem.
Any ideas or tips for me?
Logged
jschellevis
Administrator
Full Member
Posts: 156
Karma: 37
Re: SSL/HTTPS Transparent Proxy
«
Reply #3 on:
September 16, 2016, 01:40:53 pm »
The issue is related to the fact that the proxy checks if the ip or the requested domain is the same as the browser requested. For this it does a lookup, however the lookup that the browser did may not match the one that the proxy performed. This can happen when a domain has multiple ips (a farm).
Not sure if there is anything definitive that can be done here, but I think you can minimize the impact by making sure you use the same DNS all the time. (that is client and firewall/proxy)
«
Last Edit: September 16, 2016, 01:44:00 pm by jschellevis
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
SSL/HTTPS Transparent Proxy