WEB PROXY + OPNPROXY + SSO something doesn't work in the OPNSense Advanced PROXY

Started by Wuensch-AG-Adm, February 03, 2025, 02:04:08 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 03, 2025, 02:04:08 PM Last Edit: February 03, 2025, 08:51:54 PM by Wuensch-AG-Adm
Dear OPNSense Community,

We have purchased a DECISO appliance with a Business license to replace our Sophos UTM. We thought that it would be possible to replace the Sophos UTM Webfilter (transparent with LDAP) with the OPNSense plugins (WEB PROXY + OPNPROXY + SSO). But it doesn't work for us right now. The Business plugin OPNPROXY could be the solution. It seems that the plugin cannot work with the SSO plugin. That's really sad. We have setup the Access control but nothing is applied as it should. The policy tester is working, but in reality im browser nothing is filtered. It's like that the OPNPROXY plugin isn't enable or present and I've setup lot of rules. The WEB PROXY is working as it should.
Is it right that this Business plugin cannot work with SSO? (AD)
If yes, I think that's the biggest lack of feature in this plugin. If no, what could I've missed, please?

Thanks ahead,

Regards,

Joel T.
February 07, 2025, 04:05:17 PM #1
I have some news, here. I've tried to activate the proxy in windows with the fqdn and port of the OPNSense and somehow it "works". The problem is that the websites are randomly blocked and I cannot understand which of the rules is triggered, when the website is blocked.
For example... I've put the website of thomas-krenn.com in the whitelist ACL of squid and in the custom whitelist (allow) ACL of the OPNSense Advanced PROXY (os-OPNProxy) and I'm still blocked on the computer where I've setup the proxy in Windows. How it's possible... I don't know.

In the Log (Access Log) I have something like that:
IP - MAC ADDR USERNAME@DOMAIN "GET https://www.thomas-krenn.com/favicon.ico HTTP/1.1" 403 24992 "https://www.thomas-krenn.com/de/wiki/OPNsense_Plugins" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" NONE_NONE:HIER_NONE
IP - MAC ADDR USERNAME@DOMAIN "CONNECT www.thomas-krenn.com:443 HTTP/1.1" 200 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36" TCP_DENIED:HIER_NONE
USERNAME@DOMAIN is in a group in a custom allow rule

Policy tester:
{
  "message": "OK user=\"User\"\n",
  "user": {
    "uid": "User",
    "id": "2020",
    "applies_on": [
      "u:User",
      "g:Group One",
      "g:Group Two"
    ]
  },
  "policy": {
    "action": "allow",
    "policy_type": "fallback"
  }
}




I'm sure that this website isn't in a blacklist.

Is there a possibility to have a log that write which of the rule is triggered?

It's pretty hard to administrate the webfilter like that.

I've followed this to implement the OPNProxy: https://docs.opnsense.org/manual/opnproxy.html
But it seems to be not enough the become that the web proxy will be fully configured.

Thanks ahead.

Joel T.

Print
Go Up Pages1
User actions