OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • SSL Bump Client exception
« previous next »
  • Print
Pages: [1]

Author Topic: SSL Bump Client exception  (Read 3827 times)

SteNub

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
SSL Bump Client exception
« on: March 23, 2021, 12:00:13 pm »
Hello everybody,

i have managed to get some clients ssl bumped and some others not.
Unfortunately i only got it to work via modifying the squid.conf at the ssl_bump part:

Code: [Select]

# setup ssl bump acl's
acl bump_step1 at_step SslBump1
acl bump_step2 at_step SslBump2
acl bump_step3 at_step SslBump3
acl bump_nobumpsites ssl::server_name "/usr/local/etc/squid/nobumpsites.acl"
acl bump_nobumpclients src "/usr/local/etc/squid/nobumpclients.acl"

# configure bump
ssl_bump splice bump_nobumpclients
ssl_bump peek bump_step1 all
ssl_bump peek bump_step2 bump_nobumpsites
ssl_bump splice bump_step3 bump_nobumpsites
ssl_bump stare bump_step2
ssl_bump bump bump_step3


Now i can enter single IPs or IP ranges in the nobumpclients.acl file and everything works as expected! :-)

My question is: Can this be achived in the custom conf folders, too? (pre-auth, auth, post-auth)? I tried but it seems my entries are ignored? Maybe this small addon is worth a commit to the official repo?
Via GUI it would be possible to create the nobumpclients entries in the correspondig file, analogous to the nobumpsites.

Any hints?

Thank You!
Stefan
Logged

mscd

  • Newbie
  • *
  • Posts: 39
  • Karma: 0
    • View Profile
Re: SSL Bump Client exception
« Reply #1 on: July 04, 2021, 11:08:07 am »
Hello Stefan,

I am woking on the same problem … I would like to do SNI-inspection (with category filtering) for all clients … but true SSL-inspection only for specific subnets. Did you get that working (by use of include-folders)?

Best regards,
mscd
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6767
  • Karma: 494
    • View Profile
Re: SSL Bump Client exception
« Reply #2 on: August 30, 2021, 04:10:18 pm »
I'll add it to the GUI :)
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

mimugmail

  • Hero Member
  • *****
  • Posts: 6767
  • Karma: 494
    • View Profile
Re: SSL Bump Client exception
« Reply #3 on: August 30, 2021, 04:15:49 pm »
https://www.routerperformance.net/opnsense/plugin-development/

Here new checkbox
https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/controllers/OPNsense/Proxy/forms/main.xml

Here also
https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Proxy/Proxy.xml

New file like this:
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/nobumpsites.acl

And add it here:
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/%2BTARGETS

And here should be also the stuff from you above:
https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Web Proxy Filtering and Caching (Moderator: fabian) »
  • SSL Bump Client exception
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2