OPNSense - Web Proxy ( Enable SSL mode Problem)

[pr3p]

Hi enabled web proxy services on opnsense, everything is working fine, but when i enabled Enable SSL mode i cant browse https website, any idea? i already set rules on firewall


Reference:
https://docs.opnsense.org/manual/how-tos/proxytransparent.html


Regards,
pr3p

[fabian]

missing certificate, squid not restarted or wrong port?

[pr3p]

missing certificate, squid not restarted or wrong port?

I already setup certificate and port is correct as the default port for proxy set on firewall.







Proxy is working fine with http only https, but when i set or configure browser to use proxy server both are working fine, is there any way to work proxy ssl enabled without setting on client side such as laptop, mobiles and etc


Regards,
pr3p

[fabian]

SSL mode is not enabled

[pr3p]

SSL mode is not enabled

oh sorry i just temporary disabled now i cant access forum and other website, but when its enable still not working. its only work when i set proxy on my browser

[franco]

Did you also select the CA certificate in the proxy settings?


Cheers,
Franco

[pr3p]

Did you also select the CA certificate in the proxy settings?


Cheers,
Franco

@franco yes its the CA Certificate is enabled and selected,

Question: is there anyway to use proxy with ssl enabled w/o configuring any browser setting to use proxy?

[fabian]

Yes, OPNsense supports configuring a transparent squid proxy for HTTPS, but you have to configure the clients anyway (installing the root certificate), if you are not only configuring it for domain filtering only.

You need to enable SSL mode with a root certificate, which is trusted by your clients.

At least in Firefox you will have to import your root certificate. Many other applications are affected too and some use certificate pinning. This are the apps you will have to whitelist because otherwise they won't work.

[pr3p]

Yes, OPNsense supports configuring a transparent squid proxy for HTTPS, but you have to configure the clients anyway (installing the root certificate), if you are not only configuring it for domain filtering only.

You need to enable SSL mode with a root certificate, which is trusted by your clients.

At least in Firefox you will have to import your root certificate. Many other applications are affected too and some use certificate pinning. This are the apps you will have to whitelist because otherwise they won't work.

@fabian thanks for the info, yes i tested to it with cert imported to all browsers and so far i have no problem with it, since we don't have access on personal devices of our staff and students we cant import those cert manually. is there any other way?

[fabian]

@fabian thanks for the info, yes i tested to it with cert imported to all browsers and so far i have no problem with it, since we don't have access on personal devices of our staff and students we cant import those cert manually. is there any other way?

Why not put it on a network share which is read only and everyone can access it to download the certificate and install it if needed. I would suggest FTP or HTTP for that. You will have to document where the certificate can be downloaded.

[spetrillo]

@fabian thanks for the info, yes i tested to it with cert imported to all browsers and so far i have no problem with it, since we don't have access on personal devices of our staff and students we cant import those cert manually. is there any other way?

Why not put it on a network share which is read only and everyone can access it to download the certificate and install it if needed. I would suggest FTP or HTTP for that. You will have to document where the certificate can be downloaded.

Do I just export the CA and then import it on my devices?