Skip to main content

How to Set Up Caching Proxy in OPNsense?

OPNsense provides a fully-featured caching proxy service with extensive Access Control Lists, category-based web filtering, and the ability to run in transparent mode. It supports HTTP, HTTPS, and FTP services. Also, the proxy server can be used in conjunction with the traffic shaper to improve the user experience. By caching and reusing frequently-visited websites, it improves response times and increases the efficiency in bandwidth usage. The ICAP interface allows for integration with the majority of professional anti-virus solutions.

In this tutorial, we will briefly explain the following topics:

  • What are the Features of the Caching Proxy in OPNsense?
  • How to Configure Custom Error Pages in OPNsense Caching Proxy?
  • How to Set Up Basic Caching Proxy in OPNsense?
  • How to Enable Web Filtering in OPNsense Proxy?
  • How to Enable Transparent HTTP and SSL mode in OPNsense Proxy?
  • How to Import an Internal CA Certificate into Windows 10 as a Trusted Root CA?
info

Beware that caching proxy service relies heavily on CPU load and disk-cache writes. Therefore it is recommended to have an SSD drive for caching proxy service.

What are the Features of the Caching Proxy in OPNsense?

The primary features of the OPNsense caching proxy service are outlined below:

  1. Authenticators: The proxy can be set up as a transparent proxy by using the following authentication methods:
  • No authentication
  • Local Database
  • Radius
  • LDAP
info

You can configure OPNsense caching proxy authentication options by navigating to the Web Proxy > Administration > Forward Proxy > Authentication Settings.

Accessing Authentication Settings in OPNsense Web Proxy

Figure 1. Accessing Authentication Settings in OPNsense Web Proxy

  1. Access Control: It supports Access Control Lists by using the following criteria:
  • Subnets
  • Ports
  • MIME types
  • Banned IPs
  • Whitelists
  • Blacklists
  • Browser/User Agents
  • Support for blacklists
info

You can configure OPNsense caching proxy Access Control Lists by navigating to the Web Proxy > Administration > Forward Proxy > Access Control Lists.

Accessing Access Control List in OPNsense Web Proxy

Figure 2. Accessing Access Control List in OPNsense Web Proxy

  1. Transparent Mode: The transparent mode allows all requests to be routed to the proxy without the need for any client configuration. The transparent mode works well with unsecured HTTP traffic. But for secured (SSL) HTTPS connections, the proxy becomes a man-in-the-middle because the client "talks" to the proxy and the proxy encrypts the network packets with its master key, which the client must trust.
caution

Using a transparent HTTPS proxy can be risky and may not be allowed for some web applications, such as e-commerce.

  1. Web Filter: OPNsense includes category-based web filtering support with the following features:
  • Fetch data from a remote URL.
  • Use the built-in scheduler to be kept up-to-date.
  • Compatibility with the most widely used blacklists
  • Flat file lists and category-based compressed lists are supported.
  • Convert category-based blacklists to squid ACLs automatically.
  1. Traffic Management: The proxy can be used in conjunction with the traffic shaper to fully utilize its shaping capabilities. It also provides the following options:
  • Maximum file size for download/upload
  • Limiting overall bandwidth
  • Limiting bandwidth per host
info

You can configure OPNsense caching proxy Traffic Management options by navigating to the Web Proxy > Administration > General Proxy Settings > Traffic Management Settings.

Accessing Traffic Management settings in OPNsense Web Proxy

Figure 3. Accessing Traffic Management settings in OPNsense Web Proxy

  1. WPAD / PAC: OPNsense provides automatic proxy configuration via WPAD / PAC for cases such that you can not use transparent mode.
caution

Since WPAD via DNS necessitates that the web UI run on the default HTTP port (TCP/80), it has a vulnerability for MITM attacks. Therefore, you should use a proxy server or avoid configuring the application from an untrusted network in such circumstances.

  1. Custom Error Pages: OPNsense caching proxy service provides customizable error pages for your requirements.
  2. Multi-Interface: The proxy can run on multiple network interfaces at the same time.

How to Configure Custom Error Pages in OPNsense Caching Proxy?

You may easily configure your custom error pages in OPNsense caching proxy service by following these steps listed below:

  1. Navigate to the Services > Web Proxy > Administration > General Proxy Settings in your OPNsense web UI.
  2. Select Custom for User error pages. Then, an additional tab named Error Pages will be visible.

Setting User error pages option in OPNsense Web Proxy

Figure 4. Setting User error pages option in OPNsense Web Proxy

  1. Click on the Error Pages tab.
  2. Click on the Download icon to get a zip file(proxy_template.zip) with all available error pages and cascading style sheets.

Downloading error pages in OPNsense Web Proxy

Figure 5. Downloading error pages in OPNsense Web Proxy

  1. Change the related files as you wish and zip them.

Error pages file lists in OPNsense Web Proxy template

Figure 6. Error pages file lists in OPNsense Web Proxy template

  1. Click on the folder icon to select the newly created zip, such as custom_template.zip.

Uploading Custom Error pages in OPNsense Web Proxy

Figure 7. Uploading Custom Error pages in OPNsense Web Proxy

  1. Click on the upload button.
  2. Click on the Apply button.
  3. Click on the General Proxy Settings tab.
  4. Click on the Apply button to activate the error pages template.
tip

The reset button with an X icon will remove your custom template from the configuration, and the download option will return the standard OPNsense template.

To change the background image, you can upload the cs file in a directory and leave out all the html files.

How to Set Up Basic Caching Proxy in OPNsense?

You may set up a basic caching proxy service in your OPNsense easily by following the 10 main steps given below:

  1. Enable/Disable Proxy Server
  2. Configure Proxy Interface(s)
  3. Configure Proxy Listening Port
  4. Enable/Disable Caching
  5. Configure Authentication Method
  6. Enable/Disable FTP Proxy
  7. Define Access Control List
  8. Define Remote Access Control List
  9. Define Firewall Rules to Prevent Clients to Bypass Proxy Server
  10. Configure Client Proxy

We will briefly explain these steps below.

1. Enable/Disable Proxy Server?

In the OPNsense firewall, the proxy server comes with reasonable default settings for quick setup. To enable the proxy service in your OPNsense firewall, you may follow the steps below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Check the Enable proxy option.
  3. Click Apply to activate the proxy server.

The proxy will be enabled with User Authentication based on the local user database and will run on port 3128 of the LAN interface by default.

Enabling Proxy in OPNsense

Figure 8. Enabling Proxy in OPNsense

How to Start/Restart/Stop Proxy Server?

You can view the status of the proxy service by navigating to Services > Web Proxy > Administration. The status and action buttons are available at the top right corner of the Administration page.

When the proxy server is running, the status button is displayed as green rectangular with a white right arrow icon.

You may click on the Restart button to restart the proxy server.

You may click on the Stop button to stop the proxy server.

Restarting/Stopping Proxy Server  in OPNsense

Figure 9. Restarting/Stopping Proxy Service in OPNsense

When the proxy server is stopped, the status button is displayed as red rectangular with a white square icon.

You may click on the Start button to start the proxy server.

Starting a Stopped Proxy Service in OPNsense

Figure 10. Starting a Stopped Proxy Service in OPNsense

2. Configure Proxy Interface(s) and General Forward Settings

If you need to change the interfaces (subnets) to which the proxy will bind, you may follow the steps below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the General Forward Settings page on the Forward Proxy tab.
  3. Select interfaces in the Proxy interfaces field. You can add as many interfaces as you wish or remove one.
  4. Click Apply to activate the settings.

Selecting Proxy Interface in OPNsense

Figure 11. Selecting Proxy Interface in OPNsense

  1. You may check the Enable Transparent HTTP proxy option for transparent proxy mode. We will enable this setting in the following section.
  2. You may check Enable SSL inspection to log HTTPS traffic, and/or to make the proxy act as a middleman between the internet and your clients. Before enabling this option, consider the security implications. You will need nat rules to reflect your traffic if you intend to use transparent HTTPS mode. We will enable this setting in the last section.
  3. You may check the Log SNI information only option to log only requested domains and IP addresses. This option does not decode or filter SSL content.
  4. You may change SSL Proxy port to which the SSL proxy service will listen. It is 3129 by default.
  5. You may select Certificate Authority to use for SSL inspection.
  6. You may enter a list of sites that may not be inspected, such as bank and e-commerce sites, into the SSL no bump sites field. To accept all subdomains you can prefix the domain with a ..

3. Configure Proxy Listening Port

By default, the proxy will listen on port 3128. To change the proxy listening port, you may follow these steps:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the General Forward Settings page on the Forward Proxy tab.
  3. Set Proxy port to an appropriate value as you wish, such as 8080.
  4. Click Apply to activate the settings.

Changing Proxy Listening Port in OPNsense

Figure 12. Changing Proxy Listening Port in OPNsense

4. Enable/Disable Caching

To enable caching on your proxy server, you may follow the next steps given below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the arrow next to the General Proxy Settings to see the dropdown menu.
  3. Click on Local Cache Settings.
  4. Check the Enable local cache option.
  5. You may toggle on the advanced mode button at the top.
  6. You may increase the Memory Cache size in Megabytes depending on your system, such as 1024. It is 256 MB by default.
  7. You may increase the Cache size in Megabytes depending on your needs, such as 1024. It is 100 MB by default.
  8. You may leave the Maximum object size (MB) as default which is 4MB.
  9. You may leave Maximum object size in memory (KB) as default.
  10. You may leave Memory cache mode as default. The following options are also available:
  • always: Keeps the most recently retrieved objects (default)
  • disk: Only disk cache hits are stored in memory, so an object must first be cached on disk and then hit a second time before being cached in memory.
  • network: Only objects retrieved from the network are stored in memory.
  1. You may check the Enable Linux Package Cache option to enable package caching for Linux distributions if you have multiple servers in your network and do not host your own package mirror. This saves internet bandwidth while increasing disk access.
  2. You may check the Enable Windows Update Cache option to enable or disable the caching of Windows updates if you don't have a WSUS server.
  3. Click Apply to activate the settings.

Enabling Caching Proxy in OPNsense

Figure 13. Enabling Caching Proxy in OPNsense

caution

Because the cache is not created by default, you must stop and restart the proxy service to ensure that the cache is properly created.

5. Configure Authentication Method

To change the authentication method for your proxy service in OPNsense, you may follow the steps given below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the arrow next to the Forward Proxy to see the dropdown menu.
  3. Click on Authentication Settings.
  4. Select the desired Authenticator(s) in the *Authentication method field. If you do not want to use any authentication, click on the Clear All link.
info

Depending on the Authentication Servers you've configured in System > Access > Servers, you may choose one or more of the following options:

  • Local User Database
  • Radius
  • LDAP
  • Time-based One Time Password
  • No Authentication (leave the field blank)
  1. You may set Enforce local group to restrict access to users in the selected (local)group if you want. We leave it as default.
  2. You may fill in the Authentication Prompt as you wish. It will be displayed in the authentication request window.
  3. Set Authentication TTL (hours) to 8. This specifies how long the proxy server assumes an externally validated username and password combination is valid (in hours) (Time To Live). When the TTL expires, the user will be prompted to enter their credentials once more. It is 2 by default.
  4. You may Authentication processes leave as default. The total number of authenticator processes that will be launched.
  5. Click Apply to activate the settings.

Setting Authentication Method for Proxy in OPNsense

Figure 14. Setting Authentication Method for Proxy in OPNsense

6. Enable FTP Proxy

To enable the FTP proxy service in OPNsense, you may follow the steps given below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the arrow next to the Forward Proxy to see the dropdown menu.
  3. Click on FTP Proxy Settings.
  4. Select one or more interfaces in the FTP proxy interfaces field, such as LAN or GUESTNET.
  5. You may change the default FTP proxy port, default is 2121.
  6. You may check Enable Transparent mode to forward all requests for destination port 21 to the proxy server without any additional configuration.
  7. Click on the Apply to activate the settings.

Enabling the FTP proxy service in OPNsense

Figure 15. Enabling the FTP proxy service in OPNsense

warning

The FTP proxy will only work if the Proxy Server is enabled. Furthermore, the proxy only works for unencrypted FTP traffic.

7. Define Access Control List

To define Access Control Lists for your proxy service in OPNsense, you may follow the steps given below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the arrow next to the Forward Proxy to see the dropdown menu.
  3. Click on Access Control Lists.
  4. Click on the advanced mode toggle button.
  5. You may set Allowed Subnets by typing subnets you want to allow access to the proxy server. The proxy interfaces are allowed by default.
  6. You may add Unrestricted IP addresses. For these IP addresses, no authentication and no blacklisting are applied.
  7. You may Type IP addresses you want to deny access to the proxy server into the Banned host IP addresses field.
  8. You may add domains to the Whitelist so that they aren't blocked by the proxy server, such as unharmful.com
  9. You may add domains to the Blacklist so that they are blocked by the proxy server, such as harmful.com.

Setting ACLs for Proxy Service in OPNsense-1

Figure 16. Setting ACLs for Proxy Service in OPNsense-1

  1. You may set Block browser/user-agents to block specific browsers. For example, "Mozilla" will block "all Mozilla-based browsers" and "(.)+Macintosh(.)+Firefox/36.0" will block the "Macintosh version of Firefox revision 36.0". We will block MS Internet Explorer from 6 to 10 which has critical security vulnerabilities.
  2. You may set Block specific MIME type reply to block HTTP replies based on the servers' content MIME Type reply, such as image, text, HTML, flash, music, MPEG, etc. For example, entering "video/Flv" will block Youtube flash video content, and "application/x-javascript" blocks "javascript".
  3. You may enter the domain that will be permitted to use Google GSuite to the Google GSuite restricted field. All accounts that do not belong to this domain will be barred from using it.
  4. You use Youtube restrictions by setting YouTube Filter field to Moderate or Strict.
  5. You may add Allowed destination TCP port.
  6. You may add Allowed SSL ports.
  7. Click Apply.

Setting ACLs for Proxy Service in OPNsense-2

Figure 17. Setting ACLs for Proxy Service in OPNsense-2

info

You can use a regular expression, a comma, or press Enter to create a new item. "mydomain.com" matches ".mydomain.com"; "https?://([a-zA-Z]+).mydomain." matches "http(s)://textONLY.mydomain."; ".gif$" matches ".gif" but not ".giftest"; "[0-9]+.gif$" matches "123.gif" but not "test.gif"

8. Define Remote Access Control List

To define the remote access control list in your proxy server, you may follow the following steps given below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the arrow next to the Forward Proxy to see the dropdown menu.
  3. Click on Remote Access Control Lists. tab.
  4. Click on the + button at the right bottom of the page to add a remote blacklist.

Adding Remote blacklist for Proxy Service in OPNsense

Figure 18. Adding Remote Blacklist for Proxy Service in OPNsense

  1. Check the enabled option.
  2. Enter a unique Filename for storing the new blacklist, such as StevenBlackListPorn.
  3. Enter a URL from which to retrieve the blacklist, such as https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling-porn-social/hosts.
  4. Enter a Description to explain why this blacklist exists, such as StevenBlackList for social, fake news, gambling, and porn sites .
  5. You may leave other options as default.

Editing Remote Blacklist for Proxy Service in OPNsense

Figure 19. Editing Remote Blacklist for Proxy Service in OPNsense

  1. Click Save to store the settings.
  2. Click Download ACLs & Apply to fetch and activate the newly added remote blacklist in your proxy.

Downloading & Applying Remote ACLs for Proxy Service in OPNsense

Figure 20. Downloading & Applying Remote ACLs for Proxy Service in OPNsense

tip

After downloading the remote blacklist, you may edit the remote ACL by clicking on the edit button with a pen icon. And you may select categories to use. They are used for Category-based web filtering.

9. Define Firewall Rules to Prevent Clients from Bypassing Proxy Server

A firewall rule must be added to ensure that no one can bypass the proxy. Since all clients must access the Internet via the OPNsense proxy server running on port 3128, all HTTP(S) requests sent to the 80/433 ports must be blocked. You may prevent your users to bypass your proxy server by following the four main steps given below:

  1. Add a firewall rule to block outgoing HTTP traffic on port 80.
  2. Add a firewall rule to block outgoing HTTPS traffic on port 443.
  3. Move the newly created rules to the top of the firewall rule lists.
  4. Activate the new firewall rules.

1. Add a firewall rule to block outgoing HTTP traffic on port 80

To add a firewall rule to prevent clients to bypass proxy servers by blocking outgoing HTTP traffic on port 80, you may follow the next steps given below:

  1. Navigate to Firewall > Rules in your OPNsense web UI.
  2. Click on the interface to which your proxy is bound, such as LAN.
  3. Click on the + button to add a firewall rule.
  4. Set Action to Block.
  5. Make sure that the Interface is set to the interface to which your proxy is bound, such as LAN.
  6. Set Protocol to TCP/UDP.
  7. Set Source to LAN net

Adding Firewall Rule to block outgoing HTTP traffic on port 80 in OPNsense

Figure 21. Adding Firewall Rule to block outgoing HTTP traffic on port 80 in OPNsense-1

  1. Set Destination port range to HTTP.
  2. You may enable logging by checking Log packets that are handled by this rule in the Log option.
  3. Enter Block Proxy Bypass for the Category field.
  4. Enter Block HTTP Bypass for the Description field.
  5. You may leave other settings as default.
  6. Click the Save button at the bottom of the page

Adding Firewall Rule to block outgoing HTTP traffic on port 80 in OPNsense-2

Figure 22. Adding Firewall Rule to block outgoing HTTP traffic on port 80 in OPNsense-2

2. Add a firewall rule to block outgoing HTTPS traffic on port 443

To add a firewall rule to prevent clients to bypass proxy servers by blocking outgoing HTTPS traffic on port 443, you may follow the next steps given below:

  1. Clone the newly created firewall rule to block outgoing HTTP traffic in the previous step by clicking on the clone button. This will redirect you to the firewall rule editing page.
  2. Set Destination port range to HTTPS.
  3. Change the Description field to Block HTTPS Bypass.
  4. You may leave other settings as default.
  5. Click the Save button at the bottom of the page

3. Move the newly created rules to the top of the firewall rule lists

After creating the two firewall rules for blocking outgoing HTTP(S) traffic, you will see that these rules are placed at the bottom of the firewall list. You must move these firewall rules to the top of the list so that clients� HTTP(S) requests will match with them and will be blocked

Moving Firewall Rules to prevent clients bypassing proxy server in OPNsenseFigure 23. Moving Firewall Rules to prevent clients bypassing proxy server in OPNsense

.

4. Activate the new firewall rules

To activate new firewall rules, you will need to click on the Apply Changes button at the upper right corner of the firewall rules LAN interface page.

10. Configure Proxy in Your Windows Client or Browser

You can easily configure proxy settings in your Windows client to route web surfing traffic through your proxy server by following the next steps given below:

  1. Open Network & Internet Settings by right-clicking on the network icon on the taskbar in your Windows 10 PC. Or click on the hamburger icon at the top right corner of your Chrome browser and navigate to Settings > Advanced > System > Open your computer's proxy settings.

Accessing proxy server settings in Chrome Browser

Figure 24. Accessing proxy server settings in Chrome Browser

Accessing proxy server settings in Windows 10 client

Figure 25. Accessing proxy server settings in Windows 10 client

  1. Click on Proxy.
  2. Toggle on Use a proxy server in Manual proxy setup pane.
  3. Enter your proxy server IP address in the Address field, such as 10.10.10.1.
  4. Enter your proxy server port number you�ve set in the previous section in the Port field, such as 3128.
  5. Click Save to activate the settings.

Setting up proxy in Windows 10 client

Figure 26. Setting up proxy in Windows 10 client

Your proxy server and client configurations are completed. Now, you can test your settings.

Testing Proxy Configuration

You may test your proxy configuration by following the next steps below:

  1. Open your browser on your client�s PC. This will pop up a dialog box similar to figure 27 for user authentication if you have enabled authentication in your proxy settings.

Proxy Client authentication in Windows 10 PC

Figure 27. Proxy Client authentication in Windows 10 PC

  1. Try to connect to the http://wizhumpgyros.com/ via your browser. Since the URL is in the StevenBlack list that we have added as a remote ACL in the proxy server, it should be blocked.

Accessing the Remote Blacklist Site is blocked in OPNsense proxy

Figure 28. Accessing the Remote Blacklist Site is blocked in OPNsense proxy

  1. Navigate to the Service > Web Proxy > Access Log. you should see TCP_DENIEDmessages forwizhumpgyros.com` access attempt.

Viewing the Access Logs in OPNsense proxy

Figure 29. Viewing the Access Logs in OPNsense proxy

How to Enable Web Filtering in OPNsense Proxy?

OPNsense performs category-based web filtering by utilizing the built-in proxy and one of the freely available or commercial blacklists. In this section, we will use Shalla's Blacklists, which is a collection of URL lists organized into categories and designed for use with URL filters such as SquidGuard or Dansguardian. They are free to use for personal and commercial purposes.

info

You may also use Fabrice Prigent's UT1 "web categorization list" from the Universite Toulouse. It is free to use under the Creative Commons license.

Other popular web filtering lists can be found on https://github.com/maravento/blackweb.

You may enable web filtering in your OPNsense proxy service easily by following 2 main steps given below:

  1. Configure Remote Access Control List
  2. Configure Web Categories
note

We'll assume you've already configured a basic caching proxy in your OPNsense by following the instructions in the previous section.

1. Configure Remote Access Control List

To define the remote access control list in your proxy server, you may follow the following steps given below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the arrow next to the Forward Proxy to see the dropdown menu.
  3. Click on the Remote Access Control Lists. Tab.
  4. Click on the + button at the right bottom of the page to add a remote blacklist.
  5. Check the enabled option.
  6. Enter a unique Filename for storing the new blacklist, such as ShallaBlackList.
  1. Enter the URL from which to retrieve the blacklist, such as http://www.shallalist.de/Downloads/shallalist.tar.gz.
  2. Enter a Description to explain why this blacklist exists, such as ShallaBlackList for category-based web filtering.
  3. You may leave other options as default.

Adding Shalla�s Blacklist for Category-based  Web Filtering in OPNsense Proxy Service

Figure 30. Adding Shalla's Blacklist for Category-based Web Filtering in OPNsense Proxy Service

  1. Click Save to store the settings.
  2. Click Download ACLs & Apply to fetch and activate the newly added remote blacklist in your proxy.

Downloading & Applying Remote ACLs for Category-based Web Filtering in OPNsense Proxy Service

Figure 31. Downloading & Applying Remote ACLs for Category-based Web Filtering in OPNsense Proxy Service

2. Configure Web Categories

After downloading the remote blacklist, you may select the web categories to use by following the steps below:

  1. Click on the edit button with a pen icon next to the blacklist newly added in the Remote Access Control Lists page.
  2. By default, all web categories are selected for filtering in the categories field. Uncheck any categories to allow users to access them as you wish.

Selecting web categories to block in OPNsense proxy

Figure 32. Selecting web categories to block in OPNsense proxy

  1. Click Save to store the new settings.
  2. Click Download ACLs again to download and reconstruct the list with only the selected categories.

Testing Web Filtering Configuration

We'll assume that you select the adv category to block in the previous step. You may test your proxy configuration by following the next steps below:

  1. Open your browser on your client's PC.
  2. Try to connect to trafficcenter.com via your browser. Since the URL is in the Stalla's Blacklist that we have added as a remote ACL in the proxy server, it should be blocked.

Accessing the Adv category is blocked in OPNsense proxy

Figure 33. Accessing the Adv category is blocked in OPNsense proxy

  1. Navigate to the Service > Web Proxy > Access Log. you should see TCP_DENIEDmessages fortrafficcenter.com` access attempt.

Viewing the Access Logs in OPNsense proxy

Figure 34. Viewing the Access Logs in OPNsense proxy

How to Enable Transparent SSL Mode in OPNsense Proxy?

You can configure your OPNsense proxy server to run in transparent mode. So that the client's browser does not need to be configured for the web proxy. All web traffic is automatically routed to the proxy via Network Address Translation.

In this section, we will explain how to configure HTTP and HTTPS (SSL bump) transparent proxy modes in the OPNsense firewall.

caution

Using a transparent HTTPS proxy can be hazardous and may be restricted by the services you use, such as eCommerce because the Transparent SSL/HTTPS proxy mode exploits a method known as a man-in-the-middle. If you're confident in your abilities, only configure and use transparent mode. When configured wrong, your security defenses may be severely weakened rather than strengthened.

You may enable transparent SSL mode in your OPNsense proxy service easily by following 5 main steps given below:

  1. Create a Certificate Authority for Transparent SSL
  2. Disable Authentication for Proxy Server
  3. Enable Transparent HTTP and SSL mode
  4. Configure No SSL Bump
  5. Add NAT Firewall Rules for HTTP(S)
  6. Configure Proxy Client
note

We'll assume you've already configured a basic caching proxy in your OPNsense by following the instructions in the first section.

We will briefly explain each of the main steps for enabling transparent SSL mode in your OPNsense proxy below.

1. Create a Certificate Authority for Transparent SSL

Before enabling transparent SSL mode in your proxy server, you need to create an internal Certificate Authority if you don't have one.

2. Disable Authentication for Proxy Server

When operating in transparent mode, proxy authentication is not possible. Because the browser is unaware that a proxy is being used, it is unable to respond to a proxy authentication request. To change the authentication method for your proxy service in OPNsense, you may follow the steps given below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the arrow next to the Forward Proxy to see the dropdown menu.
  3. Click on Authentication Settings.
  4. Click on the Clear All link in the *Authentication method field not to use any authentication method.

3. Enable Transparent HTTP and SSL mode

You may easily enable transparent HTTP mode by following the next steps given below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the General Forward Settings page on the Forward Proxy tab.
  3. Check Enable Transparent HTTP proxy option.
  4. Check Enable SSL inspection option.
  5. Click the Apply button to apply settings.

Enabling Transparent HTTP and SSL mode in OPNsense proxy Figure 35. Enabling Transparent HTTP and SSL mode in OPNsense proxy

4. Configure No SSL Bump

To ensure that known sites are not bumped and retain their original security layer, you should add them to the SSL no bump sites field, including all subdomains by following the steps given below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the General Forward Settings page on the Forward Proxy tab.
  3. Enter the domains into the SSL no bump sites and press Enter.
tip

To include all subdomains you must begin with a . (dot), such as .paypal.com,.google.com, .amazon.com, .hsbc.com.

warning

Make sure to include all banking sites and sites for which you provide personal or login information in this field.

5. Add NAT Firewall Rules for HTTP(S)

You can easily add NAT firewall rules for HTTP(S) by following the steps below:

  1. Navigate to Services > Web Proxy > Administration.
  2. Click on the General Forward Settings page on the Forward Proxy tab.
  3. Click on the (i) icon on the left of the Enable Transparent HTTP proxy option.
  4. Click on the add a new firewall rule link. This will redirect you to the Firewall > NAT > Port Forward setting page.

NAT Firewall Rules for Transparent HTTP mode in OPNsense proxy-1

Figure 36. NAT Firewall Rule for Transparent HTTP mode in OPNsense proxy-1

NAT Firewall Rule for Transparent HTTP mode in OPNsense proxy-2

Figure 37. NAT Firewall Rule for Transparent HTTP mode in OPNsense proxy-2

  1. Click the Save button.
  2. Navigate to Services > Web Proxy > Administration.
  3. Click on the General Forward Settings page on the Forward Proxy tab.
  4. Click on the (i) icon on the left of the Enable SSL inspection option.
  5. Click on the add a new firewall rule link. This will redirect you to the Firewall > NAT > Port Forward setting page.

NAT Firewall Rule for Transparent SSL mode in OPNsense proxy-1

Figure 38. NAT Firewall Rule for Transparent SSL mode in OPNsense proxy-1

NAT Firewall Rule for Transparent SSL mode in OPNsense proxy-2

Figure 39. NAT Firewall Rule for Transparent SSL mode in OPNsense proxy-2

  1. Click the Save button.
  2. Click Apply Changes to activate the settings.

NAT Firewall Rules for Transparent HTTP/SSL mode in OPNsense proxy

Figure 40. NAT Firewall Rules for Transparent HTTP/SSL mode in OPNsense proxy

6. Configure Proxy Client

Since your internal CA is not trusted by the browser, you will get a warning message like Your connection isn't private. Attackers might be trying to steal your information NET::ERR_CERT_AUTHORITY_INVALID for each SSL site you visit.

ERR_CERT_AUTHORITY_INVALID warning message

Figure 41. ERR_CERT_AUTHORITY_INVALID warning message

To solve this issue, you must add the CA certificate as a trusted root CA certificate in your client OS. You can import the Key into a Windows 10 PC and set it as a trusted root CA certificate by following the steps given below:

  1. Navigate to System ? Trust ? Authorities in your OPNsense Web UI.
  2. Click on the download icon to export the CA certificate.

Exporting CA certificate in OPNsense UI

Figure 42. Exporting CA certificate in OPNsense UI

  1. Copy CA certificate to the client PC, in our example it is a Windows 10 PC.
  2. You may import the CA certificate as a Trusted Root CA certificate by using MMC tool in your Windows 10 PC. Type mmc in the search bar and press enter to run the Microsoft Management Control.
  3. Click on the File menu link and select Add/Remove Snap-in.

Add/Remove Snap-in Microsoft Management Control

Figure 43. Add/Remove Snap-in Microsoft Management Control

  1. Now under Available snap-ins, click Certificates, and then click Add. The Certificates snap-in allows you to browse the contents of the certificate stores for yourself, a service, or a computer.
  2. Click OK.

Adding Certificates snap-in Microsoft Management Control

Figure 44. Adding Certificates snap-in Microsoft Management Control

  1. In the next dialog box, select Computer account and then on Next.

Adding Certificates snap-in for Computer account

Figure 45. Adding Certificates snap-in for Computer account

  1. Now select Local computer and click on Finish.

Adding Certificates snap-in for Local Computer

Figure 46. Adding Certificates snap-in for Local Computer

  1. Now, back in MMC, in the console tree, double-click on Certificates and then right-click on Trusted Root Certification Authorities Store. Under All tasks, select Import. This will open The Certificate Import Wizard.

Importing Certificates as Trusted Root CA

Figure 47. Importing Certificates as Trusted Root CA

Certificates Import Wizard-1

Figure 48. Certificates Import Wizard-1

  1. Click the Next button.
  1. Browse and select the CA certificate to import and then click the Next button.

Selecting Certificate file to Import in Certificates Import Wizard

Figure 49. Selecting Certificate file to Import in Certificates Import Wizard

  1. Click Next.

Selecting Certificate Store in Certificates Import Wizard

Figure 50. Selecting Certificate Store in Certificates Import Wizard

  1. Click the Finish button to complete the certificate import. After the import operation is completed successfully, a dialog box will appear.

Completing the Certificates Import Wizard

Figure 51. Completing the Certificates Import Wizard

CA Certificate Import is completed successfully

Figure 52. CA Certificate Import is completed successfully.

  1. Click OK.

Internal OPNsense CA Certificates Imported as a Trusted Root CA certificate in Windows 10 client

Figure 53. Internal OPNsense CA Certificates Imported as a Trusted Root CA certificate in Windows 10 client