[squid-users] How to bypass Squid proxy in intercept mode using acl/always_direct

mabi mabi at protonmail.ch
Mon Dec 26 19:07:03 UTC 2016 

Hello,

I am using Squid 3.5.20 in intercept mode for HTTP and HTTPS traffic with my OpenBSD 6.0 firewall. For some internal servers located on two different subdomains I would like to access these directly and as such bypass the Squid proxy. Is this possible to achieve that using the an acl and always_direct parameters of Squid? I tried it out but checking the squid access.log file I still see the accesses going through the proxy. You will find below my squid.conf file, you will find the acl/always_direct in the last 3 lines of my config.

Thanks for your help.

Regards,
Mabi

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost
http_access deny all

coredump_dir /var/squid/cache

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

url_rewrite_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
url_rewrite_children 19 startup=15 idle=10 concurrency=0

http_port 127.0.0.1:3129 intercept

cache_mem 1024 MB
maximum_object_size_in_memory 8 MB
cache_dir ufs /var/squid/cache 800 16 64
minimum_object_size 3 KB
maximum_object_size 6 MB

ipcache_size 10240
fqdncache_size 10240
max_filedescriptors 4096

https_port 127.0.0.1:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/proxy-ca.pem key=/etc/squid/proxy-ca.pem
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

acl local-servers dstdomain .internal.domain.net
acl local-servers dstdomain .dmz.domain.net
always_direct allow local-servers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20161226/560af1ea/attachment-0001.html>

More information about the squid-users mailing list