mirror of
https://github.com/opnsense/docs
synced 2024-11-17 03:25:33 +00:00
167 lines
6.0 KiB
ReStructuredText
167 lines
6.0 KiB
ReStructuredText
=============
|
||
Caching Proxy
|
||
=============
|
||
|
||
.. image:: images/forward_proxy.png
|
||
|
||
OPNsense is equipped with a fully featured forward caching (transparent) proxy.
|
||
A caching proxy reduces bandwidth and improves response times by caching and
|
||
reusing frequently-requested web pages. The Access Control Lists can be utilized
|
||
for user authentication and or as (category based) web filter.
|
||
|
||
Features include:
|
||
|
||
* Multi Interface Support
|
||
* Transparent Mode (including SSL/HTTPS)
|
||
* ICAP Support for Anti Virus/Malware Engine
|
||
* HTTP Proxy
|
||
* FTP Proxy
|
||
* User Authentication
|
||
* Access Control Lists (valid for both http(s) and ftp)
|
||
* (Compressed) Blacklist
|
||
* Category Based Web Filtering
|
||
* Can be combined with traffic shaper
|
||
|
||
--------------
|
||
Authenticators
|
||
--------------
|
||
User authentication can be done using OPNsense standard and built-in authenticators.
|
||
Currently these include:
|
||
|
||
* LDAP (incl. Microsoft Active Directory)
|
||
* Radius
|
||
* Local user manager
|
||
* No authentication
|
||
|
||
These options can be found in the :menuselection:`Web Proxy -> Administration -> Forward Proxy -> Authentication Settings` section.
|
||
|
||
--------------
|
||
Access Control
|
||
--------------
|
||
OPNsense supports fine grained access control, which can be configured in :menuselection:`Web Proxy -> Administration -> Forward Proxy -> Access Control List`
|
||
containing the following (Advanced) options:
|
||
|
||
* Subnets
|
||
* Ports
|
||
* MIME types
|
||
* Banned IP’s
|
||
* Whitelists
|
||
* Blacklists
|
||
* Browser/User Agents
|
||
|
||
|
||
------------------
|
||
Traffic Management
|
||
------------------
|
||
The proxy can be combined with the traffic shaper and take full advantage of its
|
||
shaping features. Additionally it includes its own options:
|
||
|
||
* Maximum download size
|
||
* Maximum upload size
|
||
* Overall bandwidth throttling
|
||
* Per host bandwidth throttling
|
||
|
||
These options can be found in the :menuselection:`Web Proxy -> Administration -> General Proxy Settings -> Traffic Management Settings` section.
|
||
|
||
|
||
-------------------------
|
||
Category Based Web Filter
|
||
-------------------------
|
||
No need for additional plugins, such as squidGuard - as OPNsense has built-in
|
||
category based web filter support. Main features include:
|
||
|
||
* Fetch from a remote URL
|
||
* Supports flat file list and category based compressed lists
|
||
* Automatically convert category based blacklists to squid ACLs
|
||
* Keep up to date with the built-in scheduler
|
||
* Compatible with most popular blacklist
|
||
|
||
----------------
|
||
Transparent Mode
|
||
----------------
|
||
The transparent mode means all requests will be diverted to the proxy without any
|
||
configuration on your client. Transparent mode works very well with unsecured http
|
||
requests, however with secured (SSL) HTTPS connection the proxy will become a
|
||
man-in-the-middle as the client will "talk" to the proxy and the proxy will encrypt
|
||
the traffic with its master key that the client is required to trust.
|
||
|
||
.. Warning::
|
||
Using a transparent HTTPS proxy can be a dangerous practice and may not be
|
||
allowed by the services you use, for instance e-banking.
|
||
|
||
|
||
------------
|
||
WPAD And PAC
|
||
------------
|
||
If a transparent proxy cannot be used, OPNsense still supports automatic proxy
|
||
configuration via WPAD / PAC.
|
||
|
||
.. Warning::
|
||
WPAD via DNS requires the web interface to run on the default HTTP port
|
||
(TCP/80) which is also a security risk (MITM attacks). In such cases you
|
||
should proxy the connection or avoid configuring the applicance from an
|
||
untrusted network.
|
||
|
||
-----------------------
|
||
Custom error pages
|
||
-----------------------
|
||
|
||
Error pages can be customized for your own needs.
|
||
In order to do so, go to :menuselection:`Web Proxy -> Administration -> General Proxy Settings` and select "Custom" in "User error pages",
|
||
after which an additional tab will be visible named "Error Pages".
|
||
|
||
.. raw:: html
|
||
|
||
Go to this tab and use the top download <i class="fa fa-download fa-fw"></i> icon to receive a zip file containing
|
||
all available error pages and associated cascading style sheets.
|
||
<br/><br/>
|
||
After altering the files, zip them again and upload using the file selector option <i class="fa fa-folder-o fa-fw"></i> on the same tab
|
||
followed by the upload button <i class="fa fa-upload fa-fw"></i>.
|
||
<br/><br/>
|
||
The reset <i class="fa fa-fw fa-remove"></i> button can be used to remove your custom template from the configuration, after
|
||
which the download option would return the standard OPNsense template.
|
||
|
||
|
||
There are some rules to take into account when creating custom themed error pages:
|
||
|
||
* extend the :code:`errorpage.css` file to theme your pages
|
||
* make sure error pages don't require anything else than css, images should be converted to base64 and provided inline.
|
||
Not only is this faster to handle than separate image files it also prevents rendering issues in case images can't be accessed.
|
||
* only existing error pages will be processed, if filenames won't match, the files won't be written to disk. you can use the download button
|
||
to inspect what's being deployed (it will return a combined set of custom and standard files)
|
||
* it's best not to include files that are not altered, this saves room in the configurartion and prevents defauls from being overwritten.
|
||
|
||
.. Tip::
|
||
|
||
If you only want to change the background image, it's usually enough to upload the css file in a directory and leave out all the html files.
|
||
|
||
.. Tip::
|
||
|
||
To convert images to inline base64 tags, there are quite some online tools available, which can easily be found using google.
|
||
As an example, our logo can be found in the the css file looking like :code:`background: url('data:image/svg+xml;base64,PD9...) no-repeat left;`
|
||
|
||
-----------------------
|
||
Configuration / How-tos
|
||
-----------------------
|
||
More information on how to utilize OPNsense's proxy service can be found in:
|
||
|
||
Proxy Basic Setup
|
||
-----------------
|
||
:doc:`how-tos/cachingproxy`
|
||
|
||
Setup Web Filtering
|
||
-------------------
|
||
:doc:`how-tos/proxywebfilter`
|
||
|
||
Setup Transparent Mode (including SSL)
|
||
--------------------------------------
|
||
:doc:`how-tos/proxytransparent`
|
||
|
||
Setup WPAD/PAC
|
||
--------------
|
||
:doc:`how-tos/pac`
|
||
|
||
Setup ICAP Anti Virus/Malware Engine
|
||
------------------------------------
|
||
:doc:`how-tos/proxyicapantivirus`
|