opnsense
www/opnproxy - OPNproxy doesn't work at all.
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
- [x] The title contains the plugin to which this issue belongs
Describe the bug I want to block access to everywhere except whitelisted domains or urls(whitelist can be different for each machine, that's why I need opnproxy not just SQUID). A clear and concise description of what the bug is, including last known working version (if any). I added custom policies for specific machine. I added 192.168.10.8/32 deny to ".jumpserver.com" but the machine can still access to the website, although the policy tester works.
To Reproduce Steps to reproduce the behavior:
- Go to 'Access Control'
- Create custom policy
- Go back to your machine and test if it works
- See error
Expected behavior Everything is filtered except customized whitelist for each machine or subnet
Relevant log files No log was available. Otherwise I would solve the issue myself.
Additional context I am mitigating the issue from Squid Proxy's access control page. BUT I added 100 whitelist but only first few domains works, all other whitelisted domains are blocked.
Environment OPNsense 25.7.7_4-amd64 FreeBSD 14.3-RELEASE-p4 OpenSSL 3.0.18 os-OPNProxy 1.0.5_3 os-squid 1.4 Intel(R) Xeon(R) CPU E3-1240 v5 @ 3.50GHz (4 cores, 8 threads) Network Mellanox CX3
I have some log here, but it doesn't help much. Access log:
2025-12-09T13:54:19-05:00
Notice
squid
Squid Parent: (squid-1) process 56470 started
2025-12-09T13:54:19-05:00
Notice
squid
Squid Parent: squid-1 process 51040 exited with status 1
2025-12-09T13:54:13-05:00
Notice
squid
ACL-REQ |opnproxy_ext_acl_net| |-| |192.168.100.11| |GET| |https://www.google.com/|
2025-12-09T13:54:13-05:00
Notice
squid
ACL-REQ |opnproxy_ext_acl_net| |-| |192.168.100.11| |CONNECT| |192.178.192.106:443|
Store log:
2025-12-09T13:54:13.727
RELEASE -1 FFFFFFFF 010000000000000060C7000001000000 0 -1 -1 -1 unknown -1/-1 CONNECT 192.178.192.106:443
2025-12-09T13:54:13.726
RELEASE -1 FFFFFFFF 020000000000000060C7000001000000 200 1765306453 -1 1765306453 text/html -1/18209 GET https://www.google.com/
https://github.com/opnsense/plugins/blob/9d6a12d5f2c9c14c68bea14d17a4820aef2300a7/README.md?plain=1#L124
What will be the alternative?
On December 9, 2025 8:04:45 PM UTC, Monviech @.***> wrote:
Monviech left a comment (opnsense/plugins#5026)
https://github.com/opnsense/plugins/blob/9d6a12d5f2c9c14c68bea14d17a4820aef2300a7/README.md?plain=1#L124
-- Reply to this email directly or view it on GitHub: https://github.com/opnsense/plugins/issues/5026#issuecomment-3634047056 You are receiving this because you authored the thread.
Message ID: @.***>
The most lightweight alternative would be DNS blocking with Unbound which is in core and fully supported.
Another would be dnsmasq with ipset and firewall rules.
Another heavier alternative if you need full tls inspection is zenarmor.
Unbound doesn't support block everything except whitelist. By the way, why is Squid/OPNproxy not being maintained anymore?
Proxies are less usable these days due to encryption and growing complexity, further more squid's future maintenance has been a bit questionable for quite some time as well (see also https://joshua.hu/squid-security-audit-35-0days-45-exploits).
For these reasons we moved these parts to the community plugins and dropped active support from our end, starting with the removal of squid from our core product.
