www/OPNProxy: "Access control" without function

[tomatotoast]

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• The title contains the plugin to which this issue belongs

Describe the bug
The "Access control" feature in the OPNProxy is only working in the policy test, but not with a proxy client.
Due to this issues any user can access anything in the web.

To Reproduce
Steps to reproduce the behavior:
Setup OPNproxy as described in the docs: https://docs.opnsense.org/manual/opnproxy.html
Generate a test blocking rule. It should not matter what you try to block in the test.
Check using the policy tester. It will tell you that your user is being blocked by your rule as intended.
Check using curl with proxy authentication. Blocking does not work. The request is logged in the access log of the proxy as usual. But it is not being blocked as it should.
excecute: configctl opnproxy sync_users or configctl opnproxy apply_policies. It doesnt help.

Expected behavior
squid should block the users request as configured.

Screenshots

Rule testing:

Testing with curl (this should not work due to the deny all rule):

Logfile after running curl:

Custom policy:

Relevant log files
Squid log:

/usr/local/sbin/squid -d9 -N -f /usr/local/etc/squid/squid.conf

2025/02/28 22:44:15| Indexing cache entries: 32.18% (4000 out of 12431) 2025/02/28 22:44:15| Done reading /var/squid/cache swaplog (12430 entries) 2025/02/28 22:44:15| Finished rebuilding storage from disk. 12430 Entries scanned 0 Invalid entries 0 With invalid flags 12430 Objects loaded 0 Objects expired 0 Objects canceled 0 Duplicate URLs purged 0 Swapfile clashes avoided Took 0.02 seconds (601587.46 objects/sec). 2025/02/28 22:44:15| Beginning Validation Procedure 2025/02/28 22:44:15| Completed Validation Procedure Validated 12430 Entries store_swap_size = 19864905.50 KB 2025/02/28 22:44:16| storeLateRelease: released 0 objects 2025/02/28 22:44:19| Starting new external_acl_type helpers... current master transaction: master54 2025/02/28 22:44:19| helperOpenServers: Starting 1/5 'squid_acl_helper.py' processes current master transaction: master54 2025/02/28 22:44:19| ERROR: ALE missing IDENT current master transaction: master54 2025/02/28 22:44:19| ERROR: ALE missing IDENT current master transaction: master54 2025/02/28 22:44:20| ERROR: ALE missing IDENT current master transaction: master54 2025/02/28 22:44:20| ERROR: ALE missing IDENT current master transaction: master54 2025/02/28 22:44:40| ERROR: ALE missing IDENT current master transaction: master68 2025/02/28 22:44:40| ERROR: ALE missing IDENT current master transaction: master54 2025/02/28 22:44:40| ERROR: ALE missing IDENT current master transaction: master74 2025/02/28 22:44:41| ERROR: ALE missing IDENT current master transaction: master54 2025/02/28 22:46:06| ERROR: ALE missing IDENT current master transaction: master54 2025/02/28 22:46:06| ERROR: ALE missing IDENT current master transaction: master54 2025/02/28 22:46:06| ERROR: ALE missing IDENT current master transaction: master54

Additional context

curl https://spiegel.de/ -k -U proxyuser:userpassword -x http://proxy.internal.domain.tld:3128 -L --proxy-anyauth

Environment

Versions
OPNsense 25.1.2-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16

os-OPNProxy 1.0.5_1

[tomatotoast]

After doing some testing i discovered that blocking HTTP like: "http://opnsense.org/" works as expected. But HTTPs does not. For example "https://opnsense.org/", which also should be blocked by the "*" rule doesnt work. HTTPs content can be browsed.

The http request shows the user, the request is blocked as configured.
The https connect doesnt parse the user, the request is not blocked.