Solved "PF + Transparent Bridge + Squid" finally working on FreeBSD 12.1(for OPNsense 12.7_7)

[jcem]

If you want to know the solution, then you should read to the end.
- First half is about my environment, trial & failures.
- There are solutions at the end.

====
Plz help me guys.

* I'm working on PF + Transparent Bridge + Squid(4.13) for 10 weeks.
I've read thousands web pages(including this FreeBSD/Networking forum), but it was not solved & stuck at the end.
This is my first FreeBSD project.

* I want to build the reverse transparent proxy for web-content-filtering system
(not just url-based, but content-based, ie. text/html or .doc, .zip ...)
I've setuped transparent bridge firewall and it worked well, but squid proxy is not working.
I've found numorous articles about 10-14 years on "not working" or "working for me" but thats all.
I have no clue anymore, currently.

If squid transparent proxy is runnable, I'll adapt ICAP & ClamAV for web-content-filtering.
Actually I've already tested these functionalities.

* PF redirect web traffic to 127.0.0.1:3128 but squid can't accept that traffic.
So I've tested with net cat using nc -l 127.0.0.1 3128 with squid disabled.
Currently, I suspect the bug or unsupported functionality of PF about local forwarding.
Forwarding to remote systems are working well.
So I usally tested various PF rules.
rdr-to(not supported anymore), rdr on, rdr pass, divert-to.
I tested filtering rules with or without route-to lo0 but nothings changed.

* This is my working environment(115.xxx.xxx.0/24 same public-ip-network).
{Internet}
|
{router/gateway - 115.xxx.xxx.1 - ISP provided}
|
{Dev Macine - 115.xxx.xxx.111}
|
{FreeBSD FireWall with OPNsense/squid/PF using transparent bridge - 115.xxx.xxx.62}
|
{Test Web Sever -115.xxx.xxx.64}

* All the 3 machines resides in same network & use same gateway
{FreeBSD FireWall}'s igb1 interface is wired to {Dev Macine - 115.xxx.xxx.111}
{FreeBSD FireWall}'s igb0 interface is wired to {Test Web Sever - 115.xxx.xxx.64}
{FreeBSD FireWall}'s bridge0(115.xxx.xxx.62) interface has igb1 & igb0 interfaces as a member

All the above IPs are public IP.

* kldstat, ipdivert.ko(and ipfw.ko why?) loaded on boot for divert-to rule
> kldstat
Id Refs Address Size Name
...
3 1 0x0 f998 if_bridge.ko
4 2 0x0 72a8 bridgestp.ko
...
9 3 0x0 582f0 pf.ko
10 1 0x0 2af8 pflog.ko
11 1 0x0 ebd0 pfsync.ko
12 1 0x0 5708 ipdivert.ko
13 2 0x0 49ab0 ipfw.ko
...

* system options - for pfil_member, pfil_bridge
> sysctl -a | grep -i net.link.bridge
net.link.bridge.ipfw: 0
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 1
net.link.bridge.pfil_member: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 1
net.link.bridge.pfil_onlyip: 0

* listen states
> netstat -a | grep -i listen
...
tcp6 0 0 localhost.3128 *.* LISTEN
tcp4 0 0 localhost.3128 *.* LISTEN
tcp4 0 0 OPNsense.3128 *.* LISTEN
tcp6 0 0 localhost.3129 *.* LISTEN
tcp4 0 0 localhost.3129 *.* LISTEN
...

* /dev/pf permission for squid(client(=source) address resolution for PF rdr rule?)
cat /etc/devfs.conf
#/dev/pf
perm pf 0640
own pf root:squid

* squid.conf
> cat /usr/local/etc/squid/squid.conf
...
# I've tested by changing "intercept" to "tproxy" manually, but not worked.
...
http_port 127.0.0.1:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
http_port [::1]:3128 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port 127.0.0.1:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
https_port [::1]:3129 intercept ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
...

* test secenario 1 - without packet redirection - works well.
# on 115.xxx.xxx.111
> curl -v http://115.xxx.xxx.64/index.html
...

* test secenario 2 - with packet redirection - always failed.
# on 115.xxx.xxx.111
> curl -v http://115.xxx.xxx.64/index.html
* Trying 115.xxx.xxx.64...
* TCP_NODELAY set
* connect to 115.xxx.xxx.64 port 80 failed: Timed out
* Failed to connect to 115.xxx.xxx.64 port 80: Timed out
* Closing connection 0
curl: (7) Failed to connect to 115.xxx.xxx.64 port 80: Timed out

* I've tested with 3 rule-sets, and all the rule sets are not working.
method 1 - rdr on ... + pass in ...
method 2 - rdr pass ... and no filtering rule
method 3 - no rdr rull & pass in [route-to lo0] ... divert-to ...

I dumped packets using tcpdump on every interfaces of 3 machines.
Here are test results.
Only SYN packets(with same SEQ number for retry) are deliverd and no accept from 127.0.0.1:3128.

- rule-set 1, 2 error results.
* packets go through .111 -> igb1 -> bridge0 -> ibg0 -> .64 always, bypassing lo0
5 SYN packets fired from .111 to igb1 of .62.
5 SYN packets arrived to bridge0
* only first packet logged to pflog0 and no packet delivered to lo0 - so squid(or nc -l 127.0.0.1 3128) can't accept.
5 SYN packets(DEST IP/PORT changed to 127.0.0.1:3128) arrived to igb0
5 SYN arrived(DEST IP/PORT changed to 127.0.0.1:3128) arrived to .64

pftop -ss | grep 115.xxx.xxx.64:80 shows below line
all tcp 127.0.0.1:3128 (115.xxx.xxx.64:80) <- 115.xxx.xxx.111:2066 CLOSED:SYN_SENT

- rule-set 3 error result
* packets go through .111 -> igb1 -> bridge0[no further delivery], always bypassing lo0
5 SYN packets fired from .111 to igb1 of .62.
5 SYN packets arrived to bridge0
* only first packet logged to pflog0 and no packet delivered to lo0 - so squid(or nc -l 127.0.0.1 3128) can't accept.
0 SYN packets arrived to igb0 & .64

pftop -ss | grep 115.xxx.xxx.64:80 shows below line
all tcp 115.xxx.xxx.64:80 <- 115.xxx.xxx.111:2066 CLOSED:SYN_SENT

- currently I'm testing method 3(divert-to) but why ipfw.ko loaded?
ipdivert.ko only works with ipfw?

* Is there any possibility HardenedBSD causes the error?
OS system is FreeBSD but HardenedBSD is applied.
> uname -a
FreeBSD OPNsense.localdomain 12.1-RELEASE-p11-HBSD FreeBSD 12.1-RELEASE-p11-HBSD #0 74f1f081a1e(stable/20.7)-dirty: Fri Dec 4 13:40:15 CET 2020 root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP amd64

* PF redirection rule file - rules.txt, by running pfctl -x loud -f rules.txt

## DEFs
lan="115.xxx.xxx.111/32"
web="115.xxx.xxx.64/32"

## OPTIONs
set block-policy return

## NORMALIZATIONs
scrub on lo0 all
scrub on igb0 all
scrub on bridge0 all
scrub on igb1 all

#scrub in all
#scrub on igb1 all reassemble tcp
#...

## QUEUEINGs

## NATs/RDRs

# method 1 - rdr on - not working.
#rdr log on igb1 inet proto tcp from $lan to $web port 80 -> 127.0.0.1 port 3128 # rdr 3128 igb1

# method 2 - rdr pass - not working.
#rdr pass log on igb1 inet proto tcp from $lan to $web port 80 -> 127.0.0.1 port 3128 # rdr pass 3128 igb1

# method 3 - no rdr, just use diver-to at below

# FILTERINGs
#set skip on lo0
#antispoof quick for bridge0

# syntax err - rdr-to - not working
#pass in log quick on igb1 route-to lo0 inet proto tcp from $lan to $web port 80 rdr-to 127.0.0.1 port 3128 keep state label "rdr-to 3128" # rdr-to 3128

# method 1 - pair to rdr on - not working.
#pass in log quick route-to lo0 inet proto tcp from any to 127.0.0.1 port 3128 keep state label "to 3128" # to 3128

# method 2 - pair to rdr pass - not working & no rule required

# method 3 - no rdr - not working
pass in log quick inet proto tcp from $lan to $web port 80 divert-to 127.0.0.1 port 3128 keep state label "divert-to 3128" # divert-to 3128

# 22, 8080, 8443 management port
pass in quick inet proto tcp from any to any port {22,8080,8443} keep state label "allow 22, 8080, 8443" # allow 22, 8080, 8443

pass out quick

#block log all label "block all" # block all

 

[SirDice]

OPNSense is a derivative.

GhostBSD, pfSense, TrueNAS, and all other FreeBSD Derivatives

 

[jcem]

OPNSense is a derivative.

GhostBSD, pfSense, TrueNAS, and all other FreeBSD Derivatives

Yes, I know OPNsense is a derivative.
But my problem is almost about FreeBSD, PF, squid.
OPNsense is FreeBSD+HardenedBSD kernel + UI or Configurator for (PF, squid, ...)
I've tested using my own simplified pf.conf & squid.conf.
So it's about FreeBSD, I think^^
Thanks.

 

[jcem]

I have an idea to try.

The situcation are like below
1. PF can't redirect traffic to localhost in transparent/bridge.
2. PF can traffic to other machines in transparent/bridge.
3. Squid should be in Firewall machine itself.

So I'll change network diagrams like below.
* before
{Internet} --- {Dev Macine} --- {<ext_if> -- FreeBSD FireWall/bridge -- <int_if>} --- {Test Web Sever}

* after
- pf will redirect traffic to the IP asigned to <add_if>
{Internet} --- {Dev Macine} --- {<ext_if> -- FreeBSD FireWall/bridge -- <int_if> + <add_if - wired to {internal - hub or switch}>} --- {internal - hub or switch} --- {Test Web Sever}
- squid will filter via <add_if>

This idea will be ok, maybe...
And need extra 1 IP & 1 NIC

 

[jcem]

I have an idea to try.

The situcation are like below
1. PF can't redirect traffic to localhost in transparent/bridge.
2. PF can traffic to other machines in transparent/bridge.
3. Squid should be in Firewall machine itself.

So I'll change network diagrams like below.
* before
{Internet} --- {Dev Macine} --- {<ext_if> -- FreeBSD FireWall/bridge -- <int_if>} --- {Test Web Sever}

* after
- pf will redirect traffic to the IP asigned to <add_if>
{Internet} --- {Dev Macine} --- {<ext_if> -- FreeBSD FireWall/bridge -- <int_if> + <add_if - wired to {internal - hub or switch}>} --- {internal - hub or switch} --- {Test Web Sever}
- squid will filter via <add_if>

This idea will be ok, maybe...
And need extra 1 IP & 1 NIC

It's not working, sadly.

PF changes destionation IP-ADDR & PORT but no change in MAC-ADDR.
So transalted packets goto original destination machine in Layer 2 routing model using MAC-ADDR.
But original destination can't understand that translated ###:3128.

So why rdr on(rdr pass) rule doesn't change MAC-ADDR?
I think transparent bridge means layer 2 bridge, am I wrong?

Is there any way to translate destionation MAC-ADDR too?
PF can't refer the ARP table???

I need any hint..
Plz let me know anything.
Thanks

 

[SirDice]

I think transparent bridge means layer 2 bridge, am I wrong?

Any type of bridge(4) is layer 2. That's the whole point of a bridge: https://en.wikipedia.org/wiki/Bridging_(networking)

PF can't refer the ARP table???

pf.conf(5):

     pf(4) has the ability to block and pass packets based on attributes of
     their layer 3 (see ip(4) and ip6(4)) and layer 4 (see icmp(4), icmp6(4),
     tcp(4), udp(4)) headers.

 

[ampshock]

From what I can tell I have only been able to get squid to filter DNS names and IP addresses so I’m not sure how to help you with zip and .doc. In another post someone said Dansgardian.

It's easier to setup a content filtering proxy. In the past i was using transparent proxy sqiud+dansgardian to filter web sites based on keywords plusYou can check www/e2guardian

So far everything seems to be working.
Thank you for your help obsigna and VladiBG.

I tried making a small tutorial on my website for setting up a squid transparent proxy on FreeBSD 12.0 using PF.
http://ampshock.com/blog/procedure-squid-freebsd.html

 

[jcem]

I'm building FreeBSD 2.1 kernel, now.

1. I currently, think "rdr on" & "rdr pass" rules are not adequite for trans parent bridge filtering.
Because translated/redirected packets always go to opposite interface with no MAC-ADDR translation.

2. "divert-to" rule may be right one to handle this situation.
Because divert-to'ed packets don't pass to opposite interface, if ipdivert.ko kernel modul loaded.
Just dropped after the IP/PORT translation.
(If ipdivert.ko is not loaded, then divert-to rule is just ignored & pass to the opposite interface too)

So I'll debug ipdivert.ko & pf.ko to solve this problem.
It is the last trial to fix this problem.
Additionally I want to break the ipdivert.ko dependency for ipfw.ko, I hope so.

Any hints are welcome.
Good luck to me.

 

[jcem]

I'm building FreeBSD 2.1 kernel, now.

1. I currently, think "rdr on" & "rdr pass" rules are not adequite for trans parent bridge filtering.
Because translated/redirected packets always go to opposite interface with no MAC-ADDR translation.

2. "divert-to" rule may be right one to handle this situation.
Because divert-to'ed packets don't pass to opposite interface, if ipdivert.ko kernel modul loaded.
Just dropped after the IP/PORT translation.
(If ipdivert.ko is not loaded, then divert-to rule is just ignored & pass to the opposite interface too)

So I'll debug ipdivert.ko & pf.ko to solve this problem.
It is the last trial to fix this problem.
Additionally I want to break the ipdivert.ko dependency for ipfw.ko, I hope so.

Any hints are welcome.
Good luck to me.

"divert-to" is not a solution.

ip_divert.c(or in pf) implementation has a bug(port number problem: network vs host byte-order) but it's not the main issue.
divert-to'ed packets are only available with socket(AF_INET, SOCK_RAW, IPPROTO_DIVERT);
And squid create socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

So I'll try "rdr pass" rule next.
(https://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf)

 

[jcem]

I finally succeded "Transparent Bridge Content Filtering" with PF, squid & icap.
I'll write other things, I've tried, later.
Currently, too busy^^

> uname -a  # OPNsense 20.7.7
FreeBSD OPNsense.localdomain 12.1-RELEASE-p11-HBSD FreeBSD 12.1-RELEASE-p11-HBSD #0  74f1f081a1e(stable/20.7)-dirty: Fri Dec  4 13:40:15 CET 2020     root@sensey64:/usr/obj/usr/src/amd64.amd64/sys/SMP  amd64

> squid --version
Squid Cache: Version 4.13
Service Name: squid

This binary uses OpenSSL 1.1.1i  8 Dec 2020. For legal restrictions on distribution see https://www.openssl.org/source/license.html
# important => '--with-pthreads' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf'
# I build for debuging. only debug settings changed.
configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--with-included-ltdl' '--enable-auth' '--enable-zph-qos' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--disable-strict-error-checking' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--with-mit-krb5=/usr/local' 'CFLAGS=-I/usr/local/include -pipe  -DHARDENEDBSD -I/usr/local/include -I/usr/local/include -fsanitize=safe-stack -g -fstack-protector-all -DLDAP_DEPRECATED -fno-strict-aliasing ' 'LDFLAGS=-L/usr/local/lib  -L/usr/local/lib -L/usr/local/lib -pthread -L/usr/local/lib -lpcreposix -lpcre -Wl,-rpath,/usr/local/lib:/usr/lib -fsanitize=safe-stack -Wl,-rpath,/usr/local/lib -fstack-protector-all ' 'LIBS=-lkrb5 -lgssapi_krb5 ' 'KRB5CONFIG=/usr/local/bin/krb5-config' 'krb5_config=/usr/local/bin/krb5-config' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr/local' '--enable-security-cert-generators=file' 'LIBOPENSSL_CFLAGS=-I/usr/local/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' '--disable-stacktraces' '--disable-ipf-transparent' '--disable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--enable-auth-basic=LDAP SASL DB SMB_LM NCSA PAM POP3 RADIUS fake getpwnam' '--enable-auth-digest=eDirectory LDAP file' '--enable-external-acl-helpers=LDAP_group eDirectory_userip file_userip unix_group delayer kerberos_ldap_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake SMB_LM' '--enable-storeio=aufs diskd rock ufs' '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file DB' '--enable-url-rewrite-helpers=fake LFS' '--enable-storeid-rewrite-helpers=file' '--enable-security-cert-validators=fake' '--disable-optimizations' '--enable-debug-cbdata' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CPPFLAGS=-I/usr/local/include -I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-pipe -DHARDENEDBSD -I/usr/local/include -I/usr/local/include -fsanitize=safe-stack -g -fstack-protector-all -DLDAP_DEPRECATED -fno-strict-aliasing  -DHARDENEDBSD -fsanitize=safe-stack ' 'CPP=cpp' --enable-ltdl-convenience

* pf.conf

# run this rule file, ex) pfctl -f rules.txt
lan="115.xxx.xxx.111/32"
web="115.xxx.xxx.64/32"

# below scrub on {interfacess} need "all fragment reassemble" options - critical
scrub on igb1 all fragment reassemble
scrub on bridge0 all fragment reassemble
scrub on lo0 all fragment reassemble
scrub on igb0 all fragment reassemble

# only "rdr on" & "pass in route-to lo0" combination is ok - critical
rdr log on igb1 inet proto tcp from $lan to $web port 80 -> 127.0.0.1 port 3128 # rdr 3128 igb1

#rdr pass failed. - https://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf say about "rdr pass", but not working for me
#rdr pass log on igb1 inet proto tcp from $lan to $web port 80 -> 127.0.0.1 port 3128 # rdr pass 3128 igb1

# below is important, for redundant processing, actually not working if omitted - critical
set skip on lo0

# someone said exec "pass in on for each interfaces, one by one" - not sure, currently
pass in on igb1
pass in on bridge0
pass in on lo0
pass in on igb0

# below is required with "rdr on" - critical
pass in log quick route-to lo0 inet proto tcp from any to 127.0.0.1 port 3128 keep state label "to 3128" # to 3128

# below divert-to syntax is not working.
# pass in log quick on igb1 route-to lo0 inet proto tcp from $lan to $web port 80 divert-to 127.0.0.1 port 3128 keep state label "divert-to 3128" # divert-to 3128

# 22, 8080, 8443 management port
pass in quick inet proto tcp from any to any port {22,8080,8443} keep state label "allow 22, 8080, 8443" # allow 22, 8080, 8443

pass out quick

* squid(v 4.13) settings
normal squid settings will be ok, except few things about acl & https.
see below

* Bridge settings
no IP(but not necessary) for WAN & LAN
IP assigned to brdige

> sysctl -a | grep -i link.bridge.

net.link.bridge.ipfw: 0
net.link.bridge.allow_llz_overlap: 0
net.link.bridge.inherit_mac: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 1
net.link.bridge.pfil_member: 1
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_bridge: 0
net.link.bridge.pfil_onlyip: 0

> sysctl -a | grep -i forward

kern.smp.forward_signal_enabled: 1
net.inet.ip.forwarding: 1
net.inet6.ip6.forwarding: 1
# below 2 net.pf.share_forward => pf will share forward settings with ipfw??? should be disabled(=0) - critical
net.pf.share_forward6: 0
net.pf.share_forward: 0

* /dev/pf permission for squid => critical

> vi /etc/devfs.conf
/dev/pf permission for squid
own     pf      root:squid
perm    pf      0640

* kernel module debugging - Actually this is not required, just for debugging
[code]
> cd /tmp/working/folder
> rm -f pf.ko
# kernel module could be built in another normal FreeBSD machine for OPNsense.
> scp root@115.xxx.xxx.79:/usr/obj/usr/src/amd64.amd64/sys/SMP/modules/usr/src/sys/modules/pf/pf.ko .
> pfctl -d
> kldunload pflog
> kldunload pfsync
# sometimes "kldunload pf" cause system reboot, I don't know why
> kldunload pf

> cp pf.ko /boot/kernel/pf.ko
> kldxref /boot/kernel

> kldload pf
> kldload pfsync
> kldload pflog
> pfctl -e
> kldstat
> tail /etc/devfs.conf
> service devfs restart
> pfctl -x loud -f "pf.conf.rule.file"
[/code]

 

[jcem]

I succeded transparent https filtering in bridge environment, also, using icap on OPNsense.

Now I'm importing certificate signed by ROOT-CA(no private/self-singed certificate creation).
I imported successfully(???) but not working well.
Squid always say "Error negotiating SSL connection on FD 13: error:00000001:lib(0):func(0):reason(1) (1/-1)"

I need any hints about this ssl certification problem.

And if something is not clear in above contents, don't hesitate to say about that.
I'll write full articles later, maybe in 1-2 months.

 

[jcem]

I finally succeded all the settings for "transparent bridge web contents filtering system including https"
Here is the layout of the system(like mixed version? forward proxy + reverse proxy)

<code>
[user web browser]
|
[internet]
|
[router/firewall]
|
[my OPNsense 12.7.7 web filtering system - with i-cap for content filtering]
|
[switch]
|
[homepages http or https]
</code>

[I setuped below features]
* transparent bridge
no network modification (IP, firewall, ...) needed for current systems.
* forward proxy but located before the homepages as like reverse proxy.
no reverse proxcy required like HAProxy or ngnix
* icap + modifid virus_scan filter(for clamav) for filter web(text/html, web form) & document(.doc, .zip, ...) content filtering.
* upload/download filtering
* https support with no ssl warning by importing Certificate signed by global Root-CA

[I've changed below files to archieve my goal, see above comments]
* pf.conf(or /tmp/rules.debug in OPNsense by changing /usr/local/etc/inc/filter.inc) - to redirect packets to local squid
* squid.conf - for https certificate support with no ssl-warning(in OPNsense by changing /usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf)
* OPNsense *.php files - to write customized .conf files(pf & squid confs)
* i-cap module - 1 line(buffer size increment, for html content modification, original version allow only 8KB for filtering message)
* virus_scan.so - many sources changed, but not general purpose

 

[jcem]

I succeded transparent https filtering in bridge environment, also, using icap on OPNsense.

Now I'm importing certificate signed by ROOT-CA(no private/self-singed certificate creation).
I imported successfully(???) but not working well.
Squid always say "Error negotiating SSL connection on FD 13: error:00000001:lib(0):func(0):reason(1) (1/-1)"

I need any hints about this ssl certification problem.

And if something is not clear in above contents, don't hesitate to say about that.
I'll write full articles later, maybe in 1-2 months.

Iv'e added 3 lines in squid.conf for my system to act like as reverse proxy before web services.
I've changed just 1 line in squid.conf for certificate signed global Root-CA, and 1 line for /usr/ports/www/squid/work/squid-4.13/src/client_side.cc.
And finally the ssl warnings gone.
* squid.conf
# you can edit "/usr/local/opnsense/service/templates/OPNsense/Proxy/squid.conf" in OPNsense for "Automatic generated configuration for Squid"
# so you don't need to edit manually

# My system is not forward proxy & it acts like as reverse proxy before web-services.
# Below 3 lines are required, at top of squid.conf.
# So every external/anonymous users should be allowed.
http_access allow all
adaptation_access response_mod allow all
adaptation_access request_mod allow all

#https_port 127.0.0.1:3129 intercept ssl-bump cert=/root/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on
# My system is not forward proxy & it acts like as reverse proxy before web-services.
# So https certification is not for anonymous sistes(in that case, few/internal users can accept private root CA).
# Https certification is ristricted only for internal web services(So every anonymous/external users can't accept private root CA)
# changed last 'generate-host-certificates' option from 'on' to 'off'.
https_port 127.0.0.1:3129 intercept ssl-bump cert=/root/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=off

/usr/ports/www/squid/work/squid-4.13/src/client_side.cc
# you can compile & debug squid, see "https://forums.FreeBSD.org/threads/www-squid-how-to-debug-squid-and-1-simple-error-in-source.78281/"

void
ConnStateData::postHttpsAccept()
{
    if (0 && port->flags.tunnelSslBumping) { // jcem - disable flags.tunnelSslBumping, just use staticContext
        //...
        return;
    } else {
        httpsEstablish(this, port->secure.staticContext);
    }
}

Currently, I'm not sure that it's the right method.
But it is perfect for me^^;;
If you needed multiple certificates, then you should change "cert=/root/ca.pem" to ports other than 3129...
Actually you should redirect traffic per certificates, 3129, 3130, 3131...

* /root/ca.pem should include cert

-----BEGIN RSA PRIVATE KEY-----
... private key for certticate(ex *.example.com)
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
... certticate(ex *.example.com)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
... intermediate CA certificate(ex "GeoTrust RSA CA 2018")
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
... root CA certificate(ex "DigiCert")
-----END CERTIFICATE-----

 

[coldr3ality]

Thanks for your documented research.