[squid-users] Redirect certain sites to different gateway

Amos Jeffries squid3 at treenet.co.nz
Mon Oct 22 06:10:09 UTC 2018 

On 22/10/18 12:54 PM, Donald Muller wrote:
> I have had squid running well for a while now on my NAS. The browser on
> my PC was set up to use squid. A few weeks ago I started running a VPN
> client on the same NAS. Everything still ran well. The other day I
> change the VPN configuration so that all traffic on the NAS gets routed
> through the VPN (VPN became the default gateway). Everything still ran
> fine except for a few web sites. When I tried to reach my bank, let’s
> say it is www.mybank.com,

You bank with "United Bank & Trust"?

When making up fake domain names please use the reserved names in the
"example" namespace:  example.com, example.net, example.whatever

"mybank" is a registered domain name  - it may or may not be a real
bank. Either way no need to connect it with your problems.


> from my PC I received a “This site can’t be
> reached” error. I’m assuming that the bank site won’t allow connections
> from a VPN server.
>

Assuming leads to problems and "solutions" that don't work. Test your
assumption
 - check your proxy cache.log for messages about traffic to that website
 - check your access.log for response status on traffic to that website
 - setup a test machine that makes requests via different gateways and
see what happens differently at the TCP (and if relevant TLS) layers.


> 
> Not sure if it is doable but is it possible via squid to redirect a
> request to a different gateway based on the URL (www.mybank.com
> <http://www.mybank.com>)? If possible how to accomplish this?
> 

What you are calling "redirect" is not possible for Squid to do itself.
The OS routing system is responsible for selecting which routing gateway
traffic goes through.

What Squid can do is mark traffic selectively with a TOS
(tp_uotgoing_tos) or nefilter/iptables MARK (tcp_outgoing_mark) the OS
uses to decide on a NIC gateway for. The dstdomain ACL can be used to
label traffic by domain.


But until you actually confirm your assumption was true, it may not
actually do anything useful.

Amos

More information about the squid-users mailing list