Installation of this plugin is rather easy, go to :menuselection:`System --> Firmware --> Plugins` and search for **os-OPNProxy**,
use the [+] button to install it.
Next go to :menuselection:`Services --> Web Proxy --> Access control` to start configuring polcies.
..Note::
Redis is required for this plugin to operate, when accessing the access control settings page for the first time you will be pointed to the correct
setting to enable it directly. (just enable and apply should be enough)
General
---------------------------
In order to utilise user/group based policies, the proxy needs to be able to inspect the traffic and know the identity of the
user.
Since most of the internet is being encrypted nowadays, you would need to enable some sort of ssl inspection in between.
When setting "Enable SSL inspection" in :menuselection:`Services -> Webproxy -> Administration -> Forward Proxy`
you are able to use a "man-in-the-middle" approach (where the proxy intercepts traffic and is able to filter it).
A disadvantage of this option is that your clients would need to trust the firewalls certificate (CA selected in "CA to use").
When enabled full paths can be filtered.
A bit lighter option would be to use SSL inspection with "Log SNI information only" enabled,
in which case the firewall would know which domain you are trying to visit, but can not inspect the content of the request (or response for that matter).
..Note::
When enabling "Log SNI information only", only domain based policies will be usable for SSL/TLS based requests.
The standard authentication options available in OPNsense apply, which can be configured in
It is possible to use the proxy in transparant mode, but there are some constraints and ceveats to take into account when doing so.
This paragraph tries to explain them one by one.
* Using "Log SNI information only" is not supported in a useful way. As the browser is not aware of the proxy, it will request
access to an ip address in stead of a hostname. With full intercept mode, this is not really an issue as the next request will
be the actual question and does contain the hostname, but without interception, you can only filter on ip address which is often not very useful.
* The client has to trust the CA which the proxy uses to automatically create certificates, which means all TLS requests will be signed by the firewall instead of the
actual trustee.
* User based authentication is not possible, as the client doesn't know it's being intercepted, it's also not possible to
request a username and password. OPNproxy only supports basic authentication.
..Note::
When changing the "Log SNI information only" option, you have to restart the proxy as well. As the apply button will not