firmware: support proxy settings, base/kernel lock, opnsense-devel choice

[fichtner]

I was testing OPNsense as an additional firewall & router for certain VLANs behind another firewall and proxy.
So OPNsense is installed in the existing private LAN side behind an existing proxy, port 8080.
When trying to update or get the list of plugins,  I always got : No Connection.
I had no luck using the integrated proxy with defining an upstream Proxy, also set_env did not work.

I solved my problem by adding the proxy directly to the pkg.conf via Console - Shell:
vi /usr/local/etc/pkg.conf , add 
pkg_env : {
http_proxy: "http://your-poxy-ip:port/"
}

via: https://forum.opnsense.org/index.php?topic=3833.0

[fichtner]

Looks like a duplicate of #1992 -- no need for proxy at this point.

[kronenpj]

I generally agree that the package repository should be a local mirror instead of going through a proxy. However, I can envision situations where it would be undesirable / infeasible to maintain a local mirror yet still require an external proxy to access the public mirrors.

Perhaps a small/starter home lab where a corporate network emulation is strongly desired, but disk space is short. Yes, a contrived example, but conceivable.

[dominikborkowski]

I'm wondering what the status of this request is. We're in the situation described above: the systems running OPNsense are behind a set of proxies. There are no mirrors, nor infrastructure for them. Being able to configure/manage settings for HTTP/HTTPS proxy used to fetch updates would be wonderful.

Cheers!

[AdSchellevis]

@dominikborkowski currently we are not planning to offer proxy settings via the gui, but as of 24.1 it would be possible to install a custom configuration file for this in our configd system. If you open a ticket in our documentation GitHub repository, I’ll add some documentation later.

[fichtner]

BTW: The change to support this was released yesterday in 23.7.12.

[dominikborkowski]

Yesterday I attempted to perform an update of image running 22.1 to latest. I believe it involved at least 10 rounds of updates, after each I had to re-insert proxy configuration. If this new configuration method can be persistent throughout updates, it will be a life saver for us and our students, even if it's not in GUI.

I'll open an issue in the appropriate repo as suggested. Thank you both!

[fichtner]

Yes, it's a persistent solution with a plugin directory that we mostly use for situations like these.

Cheers,
Franco

[josefzahner]

I know it has been closed, but @AdSchellevis can you please explain how to configure a custom configd file? I found no documentation yet and I'm installing an OPNsense v24.1.1 within a corporate environment with HTTP proxy...

At the moment I've this and it works (at least until I'm upgrading again)

vi /usr/local/opnsense/service/conf/configd.conf

HTTP_PROXY=http://our-proxy.com:8080
HTTPS_PROXY=http://our-proxy.com:8080
http_proxy=http://our-proxy.com:8080
https_proxy=http://our-proxy.com:8080
FTP_PROXY=http://our-proxy.com:8080
ftp_proxy=http://our-proxy.com:8080

EDIT: I guess I just found it, sorry: https://docs.opnsense.org/development/backend/configd.html