[squid-users] Allow some domains to bypass Squid

Nishant Sharma codemarauder at gmail.com
Mon Mar 12 06:01:56 UTC 2018


Hi Nicolas,

On Sunday 11 March 2018 05:35 PM, Nicolas Kovacs wrote:
> Le 11/03/2018 à 12:31, Amos Jeffries a écrit :
> OK, I got something that's starting to work.
> 
> # Exceptions
> EXCEPTIONS=$(egrep -v '(^\#)|(^\s+$)' /usr/local/sbin/no-proxy.txt)
> for EXCEPTION in $EXCEPTIONS; do
>    $IPT -A PREROUTING -t nat -i $IFACE_LAN -d $EXCEPTION -j ACCEPT
> done

The problem with this approach might be that domains are looked up for 
their IPs at the time of rule creation and not at the time of request. 
Since destinations like github.com, google.com, facebook etc use many 
large pools of IPs, your rule might not match later in the day or after 
a few days.

Better to use "ipset" along with dnsmasq and refer that ipset in the 
iptables rule to match dst.

1. ipset create _ipsetname_ bitmap:ip

2. Configure dnsmasq to populate _ipsetname_ by adding following lines 
for each domain to dnsmasq.conf:

ipset=/google.com/_ipsetname_
ipset=/github.com/_ipsetname_
...
...

3. Use dnsmasq as resolver-cache on your proxy machine and ensure that 
squid uses your dnsmasq for DNS queries.

4. Add intercept iptables rules to not NAT the traffic  to destination 
ipset:

iptables -A PREROUTING -t nat -i $IFACE_LAN -m set --match-set 
_ipsetname_ dst -j ACCEPT

Dnsmasq will keep populating the ipset as and when a resolution request 
is received for the matched domains. An ipset can hold 65534 entries.

I use this approach extensively to allow Anti-Virus and Windows updates 
to the machines which otherwise are not allowed to access Internet 
directly without configuring explicit proxy or through proxy.pac/wpad.

Regards,
Nishant


More information about the squid-users mailing list