Can I configure pfSense to act as a proxy server?

mauro.tridici · Mar 10, 2023, 1:25 PM

Dear Users,

my boss asked me to identify a solution in order to deploy a proxy server.
The proxy server should be able to allow the corporate users (working from different world locations) to reach a predefined list of web sites (after adjust accordingly their browser settings)

In other words, corporate users that are working from office can easily be authorised to reach the web sites mentioned above through the public IP of our pfsense gateway/firewall.

But, for the users that are working from home, I should activate a proxy server (and it should be authorised as well to reach the web sistes)

Is there a way to do it in a single shot, using the same/existing pfsense gateway/firewall?

Thank you in advance for the help,
Mauro

johnpoz · Mar 10, 2023, 1:25 PM

@mauro-tridici said in Can I configure pfSense to act as a proxy server?:

corporate users that are working from office can easily be authorised to reach the web sites mentioned above through the public IP of our pfsense gateway/firewall.

That sounds more like a you want corp users at home to be able to get to intranet sites hosted in the company network. That sounds more like you want a vpn.

Or are you wanting to say allow your corp users on the corp network from going to say www.amazon.com, but allow them to got to www.cnn.com?

And you also want to keep corp users at home from going to amazon but allow cnn?

mauro.tridici · Mar 10, 2023, 2:52 PM

@johnpoz thank you for your reply.

I think I'm in the second case.
I will try to describe the scenario with an example.

Imagine you have 3 web sites that every corporate users need to reach:

www.website1.com
www.website2com
www.website3.com

So, users that are working from office can reach them using current pfsense gateway/firewall (with public IP x.x.x.x)
IP x.x.x.x will be authorised (by the web sites admin) to reach the web sites.

corporate_users_from_LAN -> (private IP) corporate GW/FW (public IP)-> web sites

Users that are working from home should reach the web sites only through the proxy server (that I would like to activate on the same pfsense GW/FW mentioned above).

corporate_users_from_home -> (public IP) corporate GW/FW (public IP) -> web sites

The websites admin should authorise only the pfsense GW/FW public IP.

Do you think that it can be done using the current and running pfsense instance?
What are the best practices in this case/scenario?

Thank you in advance,
Mauro

johnpoz · Mar 10, 2023, 2:59 PM

@mauro-tridici if I want users out of the public internet (corp users at home) to get to my corp websites hosted on the corp network I would use a vpn..

You could limit where these vpn users can go via simple firewall rules in pfsense, or your websites if running their own firewall could allow the specific range of IPs these vpn clients would get.

Not only does this allow access to your websites, it would also allow if you want any other access to resources on the corp network. Also the vpn auth method is way more secure than just some proxy access with a password, etc.

I mean sure you can setup a reverse proxy on pfsense with the haproxy, and auth your users to that.. But vpn would be a much more robust and secure method of letting road warriors from accessing your company resources.

mauro.tridici · Mar 10, 2023, 3:12 PM

@johnpoz sorry, but the websites are not corp websites hosted on the corp network. They are public websites owned by other people.

In other words, I would like to reach these websites only passing through a proxy server owned by our corporate.

mauro.tridici · Mar 10, 2023, 3:13 PM

@mauro-tridici I don't know if it is correct... but it seems that the service I would like to implement is called "transparent proxy"... but I'm not sure, I'm still reading

johnpoz · Mar 10, 2023, 3:16 PM

@mauro-tridici so you want some home user to access www.website1.com that limits who can access to corp IPs.

Vpn would be better solution to allow users to come from a corp network when not on the corp network..

User connects to the corp vpn, and then routes traffic through this vpn to get to xyz, be that on the corp network or off the corp network. Traffic to something off the corp network would be coming from a corp IP.

johnpoz · Mar 10, 2023, 3:36 PM

@mauro-tridici said in Can I configure pfSense to act as a proxy server?:

mplement is called "transparent proxy".

no that is not what you want - a transparent proxy is something that intercept traffic and proxies it... For your thing to work you would need the client to have an explicit proxy setup - where they send traffic trying to go to www.website.com to send to your proxy.

mauro.tridici · Mar 10, 2023, 3:36 PM

@johnpoz said in Can I configure pfSense to act as a proxy server?:

Traffic to something off the corp network would be coming from a corp IP.

this sentence wins.
thank you very much for your support.

in any case, for informational purposes only, is this the "other not recommended" solution (transparent proxy solution)?

https://docs.netgate.com/pfsense/en/latest/recipes/http-client-proxy-transparent.html

johnpoz · Mar 10, 2023, 3:37 PM

@mauro-tridici see my last post - no a transparent proxy would not work for what you want.. How would proxy even see the traffic to intercept it?

mauro.tridici · Mar 10, 2023, 3:40 PM

@johnpoz you are right.. sorry but I'm a newbie and I'm still trying to study and understand a lot of things :)

johnpoz · Mar 10, 2023, 3:47 PM

@mauro-tridici while you could setup a proxy on pfsense with haproxy, I really wouldn't go that route. If you want remote users to look like they come from your corp network. I would vpn them into your network, and route whatever traffic you want to come from a corp IP to something out the internet through the vpn.