[squid-users] Allow some domains to bypass Squid

Nicolas Kovacs info at microlinux.fr
Sun Mar 11 10:03:46 UTC 2018 

Le 11/03/2018 à 09:24, Amos Jeffries a écrit :
> What you need to start with is switch your thinking from "domains" to
> considering things in terms of connections and individual servers. Since
> "domain" is a URL concept, and URLs are all hidden inside the encrypted
> part of the traffic there is no knowing what that really is until after
> decryption.
> 
> However when dealing with servers and connections, the connections TLS
> SNI can tell you which *server* a client is connecting to and you can
> decide to do the splice action based on which servers you are having
> trouble with (not domains).
> 
> Or better yet, decide even earlier in your NAT system not to send that
> traffic to the proxy at all.

I tried to formulate your suggestion in my own words and sent it to the
CentOS mailing list, where I'm a regular, since this seems more to be of
an iptables-related problem ("earlier in the NAT system").

Here's my message:

--8<---------------------------------------------------------

Hi,

I'm currently facing a quite tricky problem. Here goes.

I have setup Squid as a transparent HTTP+HTTPS proxy in my local
network. All web traffic gets handed over to Squid by an iptables script
on the server. Here's the relevant section in /etc/squid/squid.conf:

--8<-------------------------------------------------------------
# Ports du proxy
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  cert=/etc/squid/ssl_cert/amandine.sandbox.lan.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
--8<-------------------------------------------------------------

And here's the corresponding section of my firewall script:

--8<-------------------------------------------------------------
# Commandes
IPT=/usr/sbin/iptables
SYS=/usr/sbin/sysctl
SERVICE=/usr/sbin/service

# Internet
IFACE_INET=enp2s0

# Réseau local
IFACE_LAN=virbr0
IFACE_LAN_IP=192.168.2.0/24

# Serveur
SERVER_IP=192.168.2.1

...

# Squid
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT
$IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \
  --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3129 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3129 -j ACCEPT
$IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \
  --dport 443 -j REDIRECT --to-port 3129
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3130 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3130 -j ACCEPT
--8<-------------------------------------------------------------

This setup works nicely for the vast majority of web sites.

BUT: a handful of sites has some trouble with my local certificate. For
example, I can't sync my local Github repo anymore. Or my local OwnCloud
client spews back a warning message on every startup.

I asked on the Squid mailing list if there was a possibility to create
an exception for a list of domains, so that these can simply bypass the
proxy. The problem is, according to one of the developers, I have to
tackle that problem earlier in the process, e. g. in the firewall setup.

So here's what I want to do, in plain words:

1. Redirect all HTTP traffic (port 80) to port 3128. So far so good.

2. Redirect all HTTPS traffic (port 443) to port 3129. Equally OK.

AND...

3. DO NOT REDIRECT traffic that goes to certain domains, like:

  github.com
  credit-cooperatif.coop
  cloud.microlinux.fr
  squid-cache.org
  etc.

Ideally, these domains should be read from a simple text file.

Any idea how I could do that? I don't even know if this is theoretically
possible.

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32

More information about the squid-users mailing list