[squid-users] Allow some domains to bypass Squid

Amos Jeffries squid3 at treenet.co.nz
Sun Mar 11 08:24:52 UTC 2018


On 11/03/18 21:07, Nicolas Kovacs wrote:
> Hi,
> 
> I have Squid setup as a transparent HTTP+HTTPS proxy in my local
> network, using SSL-Bump.
> 
> The configuration works quite nicely, according to
> /var/log/squid/cache.log and /var/log/squid/access.log.
> 
> This being said, I am having trouble with a handful of domains like
> Github, or my OwnCloud installation. I have an OwnCloud server installed
> at https://cloud.microlinux.fr, and everytime I fire up a client, I have
> to confirm the use of an untrusted certificate. And on my workstation, I
> can't connect to my Github repository anymore. Here's the error I get.
> 
>   # git pull
>   fatal: unable to access 'https://github.com/kikinovak/centos-
>   7-desktop-kde/': Peer's certificate issuer has been marked as not
>   trusted by the user.
> 
> So I thought the best thing to do is to create an exception for this
> handful of domains with issues.
> 
> Can I configure some domains to simply bypass the proxy in my current
> (transparent) setup? Ideally, the configuration should be able to read a
> simple text file containing said domains, something like
> /etc/squid/bypass-these-domains.txt. And then these bypass the proxy and
> get treated regularly, as if there was no proxy?
> 

What you need to start with is switch your thinking from "domains" to
considering things in terms of connections and individual servers. Since
"domain" is a URL concept, and URLs are all hidden inside the encrypted
part of the traffic there is no knowing what that really is until after
decryption.

However when dealing with servers and connections, the connections TLS
SNI can tell you which *server* a client is connecting to and you can
decide to do the splice action based on which servers you are having
trouble with (not domains).

Or better yet, decide even earlier in your NAT system not to send that
traffic to the proxy at all.

Amos


More information about the squid-users mailing list