In an earlier guide, we setup opnsense firewall to protect our network. We were able to install and configure the basic settings for opnsense, a fork of pfsense.
In this guide “HOW TO SETUP HTTP/HTTPS WEB PROXY FILTER ON OPNSENSE”, we will go a step further by trying to use the squid proxy feature that comes with most open source firewall solutions to block and prevent unwanted traffic from flowing into our network or from being accessed by our users.
This guide will take a look at how to achieve this with http/https and a later guide will consider what can be done to filter web traffic transparently and using a caching proxy.
HOW TO SETUP HTTP/HTTPS WEB PROXY FILTER ON OPNSENSE
This guide is expected to be simple since we have very similar experience with setting up web filtering on pfsense, ipfire, squid e..tc
We will use the UT1 web categorization list for the guide, but feel free to use any blacklist of your choice even commercial offerings that update their blacklist pretty frequently.
To begin, we are assuming that you have a fresh install of opnsense without any prior configurations.
Now click on Services => web proxy=>administration and click on the remote access control list tab.
Click on the + sign to add our UT1 web categorization list. The download link is ftp://ftp.utcapitole.fr/pub/reseau/cache/squidguard_contrib/blacklists.tar.gz
Enter the details as you like making sure to use the exact url above in the url field and then click save changes.
Note: the filename should not have a space and an underscore. It only accepts numbers, letters and a dot
Click on Download Acl. We are doing this because we want to go through our blacklist and only apply the blacklist for the categories that we want i.e adult content, ad, e.t.c
The download may take a while, so grab a cup of coffee or whatever works for you.
Now click on the edit button next to the description of the ut1 filter as shown below. The category field should now be populated.
Now you understand why we clicked on download acl instead of download acl and apply. It is possible we do not want to block all in the category. So, to select the specific categories to be blocked, Click clear All in the categories field and select the categories to be blocked one by one.
Then click save changes and click on download acl again to download only the selected categories and then click apply.
It is now time to enable the proxy. To do so, click on the general web proxy settings tab. Tick enable proxy and click on apply
Now try to access facebook.com. Site cant be reached? OK.
Try to access other websites not in the blacklist and you should have access. This proves our setup is working.
Prevent Bypassing Proxy Setup
To prevent bypassing proxy setup, create firewall rule for http and https as shown below and click save.
Make sure to push the http and https rule to the top of the firewall rule but immediately under the antilockout firewall rule.
This completes our “HOW TO SETUP HTTP/HTTPS WEB PROXY FILTER ON OPNSENSE”.
Stay tuned for more opnsense guides