2018-01-30 10:40:13 +00:00
|
|
|
|
=============
|
|
|
|
|
|
Caching Proxy
|
|
|
|
|
|
=============
|
|
|
|
|
|
|
|
|
|
|
|
.. image:: images/forward_proxy.png
|
|
|
|
|
|
|
|
|
|
|
|
OPNsense is equipped with a fully featured forward caching (transparent) proxy.
|
|
|
|
|
|
A caching proxy reduces bandwidth and improves response times by caching and
|
|
|
|
|
|
reusing frequently-requested web pages. The Access Control Lists can be utilized
|
|
|
|
|
|
for user authentication and or as (category based) web filter.
|
|
|
|
|
|
|
|
|
|
|
|
Features include:
|
|
|
|
|
|
|
|
|
|
|
|
* Multi Interface Support
|
|
|
|
|
|
* Transparent Mode (including SSL/HTTPS)
|
|
|
|
|
|
* ICAP Support for Anti Virus/Malware Engine
|
|
|
|
|
|
* HTTP Proxy
|
|
|
|
|
|
* FTP Proxy
|
|
|
|
|
|
* User Authentication
|
|
|
|
|
|
* Access Control Lists (valid for both http(s) and ftp)
|
|
|
|
|
|
* (Compressed) Blacklist
|
|
|
|
|
|
* Category Based Web Filtering
|
|
|
|
|
|
* Can be combined with traffic shaper
|
|
|
|
|
|
|
|
|
|
|
|
--------------
|
|
|
|
|
|
Authenticators
|
|
|
|
|
|
--------------
|
2018-11-07 16:45:54 +00:00
|
|
|
|
User authentication can be done using OPNsense standard and built-in authenticators.
|
2018-01-30 10:40:13 +00:00
|
|
|
|
Currently these include:
|
|
|
|
|
|
|
|
|
|
|
|
* LDAP (incl. Microsoft Active Directory)
|
|
|
|
|
|
* Radius
|
|
|
|
|
|
* Local user manager
|
|
|
|
|
|
* No authentication
|
|
|
|
|
|
|
|
|
|
|
|
--------------
|
|
|
|
|
|
Access Control
|
|
|
|
|
|
--------------
|
|
|
|
|
|
OPNsense supports fine grained access control, base upon:
|
|
|
|
|
|
|
|
|
|
|
|
* Subnets
|
|
|
|
|
|
* Ports
|
|
|
|
|
|
* MIME types
|
|
|
|
|
|
* Banned IP’s
|
|
|
|
|
|
* Whitelists
|
|
|
|
|
|
* Blacklists
|
|
|
|
|
|
* Browser/User Agents
|
|
|
|
|
|
|
|
|
|
|
|
------------------
|
|
|
|
|
|
Traffic Management
|
|
|
|
|
|
------------------
|
|
|
|
|
|
The proxy can be combined with the traffic shaper and take full advantage of its
|
|
|
|
|
|
shaping features.Additionally it includes its own options:
|
|
|
|
|
|
|
|
|
|
|
|
* Maximum download size
|
|
|
|
|
|
* Maximum upload size
|
|
|
|
|
|
* Overall bandwidth throttling
|
|
|
|
|
|
* Per host bandwidth throttling
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------
|
|
|
|
|
|
Category Based Web Filter
|
|
|
|
|
|
-------------------------
|
2018-11-07 16:45:54 +00:00
|
|
|
|
No need for additional plugins, such as squidGuard - as OPNsense has built-in
|
2018-01-30 10:40:13 +00:00
|
|
|
|
category based web filter support. Main features include:
|
|
|
|
|
|
|
|
|
|
|
|
* Fetch from a remote URL
|
|
|
|
|
|
* Supports flat file list and category based compressed lists
|
2018-11-08 19:59:18 +00:00
|
|
|
|
* Automatically convert category based blacklists to squid ACLs
|
2018-11-07 16:45:54 +00:00
|
|
|
|
* Keep up to date with the built-in scheduler
|
2018-01-30 10:40:13 +00:00
|
|
|
|
* Compatible with most popular blacklist
|
|
|
|
|
|
|
|
|
|
|
|
----------------
|
|
|
|
|
|
Transparent Mode
|
|
|
|
|
|
----------------
|
|
|
|
|
|
The transparent mode means all request will be diverted to the proxy without any
|
|
|
|
|
|
configuration on your client. Transparent mode works very well with unsecured http
|
2018-11-08 19:59:18 +00:00
|
|
|
|
requests, however with secured (SSL) HTTPS connection the proxy will become a
|
2018-01-30 10:40:13 +00:00
|
|
|
|
man-in-the-middle as the client will "talk" to the proxy and the proxy will encrypt
|
|
|
|
|
|
the traffic with its master key that the client is required to trust.
|
|
|
|
|
|
|
|
|
|
|
|
.. Warning::
|
|
|
|
|
|
Using a transparent HTTPS proxy can be a dangerous practice and may not be
|
|
|
|
|
|
allowed by the services you use, for instance e-banking.
|
|
|
|
|
|
|
|
|
|
|
|
|
2018-01-30 16:53:08 +00:00
|
|
|
|
------------
|
|
|
|
|
|
WPAD And PAC
|
|
|
|
|
|
------------
|
|
|
|
|
|
If a transparent proxy cannot be used, OPNsense still supports automatic proxy
|
|
|
|
|
|
configuration via WPAD / PAC.
|
|
|
|
|
|
|
|
|
|
|
|
.. Warning::
|
|
|
|
|
|
WPAD via DNS requires the web interface to run on the default HTTP port
|
|
|
|
|
|
(TCP/80) which is also a security risk (MITM attacks). In such cases you
|
|
|
|
|
|
should proxy the connection or avoid configuring the applicance from an
|
|
|
|
|
|
untrusted network.
|
|
|
|
|
|
|
2018-11-09 11:18:28 +00:00
|
|
|
|
-----------------------
|
|
|
|
|
|
Configuration / How-tos
|
|
|
|
|
|
-----------------------
|
2018-01-30 10:40:13 +00:00
|
|
|
|
More information on how to utilize OPNsense's proxy service can be found in:
|
|
|
|
|
|
|
|
|
|
|
|
Proxy Basic Setup
|
|
|
|
|
|
-----------------
|
|
|
|
|
|
:doc:`how-tos/cachingproxy`
|
|
|
|
|
|
|
|
|
|
|
|
Setup Web Filtering
|
|
|
|
|
|
-------------------
|
|
|
|
|
|
:doc:`how-tos/proxywebfilter`
|
|
|
|
|
|
|
|
|
|
|
|
Setup Transparent Mode (including SSL)
|
|
|
|
|
|
--------------------------------------
|
|
|
|
|
|
:doc:`how-tos/proxytransparent`
|
|
|
|
|
|
|
2018-01-30 16:53:08 +00:00
|
|
|
|
Setup WPAD/PAC
|
|
|
|
|
|
--------------
|
|
|
|
|
|
:doc:`how-tos/pac`
|
|
|
|
|
|
|
2018-01-30 10:40:13 +00:00
|
|
|
|
Setup ICAP Anti Virus/Malware Engine
|
|
|
|
|
|
------------------------------------
|
|
|
|
|
|
:doc:`how-tos/proxyicapantivirus`
|
