plugins
plugins copied to clipboard
opnsense
www/squid: SNI based blocking and exclude list
Hi,
This change allows SNI-based blocking of https requests. An IP exclusion list allows you to override the blocking. It's most useful when both transparent mode and SNI logging settings are enabled. E.g. you want to block sites on devices that do not have the proxy CA installed.
I tested these configurations:
transparent: enabled, bump: enabled, log only: disabled
- no bump: filled, block sni: filled, exclude ip: filled
- exlude ip: ok (not blocked by SNI, original cert in browser)
- block sni: ok (ip logged only)
- nobump : ok (original cert in browser)
- bump: ok
- no bump: filled, block sni: filled, exclude ip: empty
- block sni: ok (ip logged only)
- nobump : ok (original cert in browser)
- bump: ok
- no bump: filled, block sni: empty, exclude ip: empty
- nobump : ok (original cert in browser)
- bump: ok
- no bump: empty, block sni: filled, exclude ip: empty
- block sni : ok (ip logged only)
- bump: ok
- no bump: empty, block sni: empty, exclude ip: empty
- bump: ok
transparent: enabled, bump: enabled, log only: enabled (nobump not tested, traffic is not decrypted)
- block sni: filled, exclude ip: filled
- exlude ip: ok (not blocked by SNI, original cert in browser)
- block sni: ok (ip logged only)
- TCP_TUNNEL or CONNECT in log : ok (original cert in browser)
- block sni: filled, exclude ip: empty
- block sni: ok (ip logged only)
- TCP_TUNNEL or CONNECT in log : ok (original cert in browser)
- block sni: empty, exclude ip: empty
- TCP_TUNNEL or CONNECT in log : ok (original cert in browser)
transparent: disabled, bump: enabled, log only: disabled
- no bump: filled, block sni: filled, exclude ip: filled
- exlude ip: ok (not blocked by SNI, original cert)
- block sni: ok
- nobump : ok (original cert in browser)
- bump: ok
- no bump: filled, block sni: filled, exclude ip: empty
- block sni: ok
- nobump : ok (original cert in browser)
- bump: ok
- no bump: filled, block sni: empty, exclude ip: empty
- nobump : ok (original cert in browser)
- bump: ok
- no bump: empty, block sni: filled, exclude ip: empty
- block sni : ok
- bump: ok
- no bump: empty, block sni: empty, exclude ip: empty
- bump: ok
transparent: disabled, bump: enabled, log only: enabled (nobump not tested, traffic is not decrypted)
- block sni: filled, exclude ip: filled
- exlude ip: ok (not blocked by SNI, original cert in browser)
- block sni: ok
- TCP_TUNNEL or CONNECT in log : ok (original cert in browser)
- block sni: filled, exclude ip: empty
- block sni: ok (ip logged only)
- TCP_TUNNEL or CONNECT in log : ok (original cert in browser)
- block sni: empty, exclude ip: empty
- TCP_TUNNEL or CONNECT in log : ok (original cert in browser)
