[squid-users] Bypass squid using iptables
Ben Goz
ben.goz87 at gmail.com
Mon May 25 10:09:46 UTC 2020
B.H
>Tunneling it elsewhere,
Where can I tunnel it? and how can I configure my machine to support it?
>You cannot have iptables suddenly divert packets to other software
mid-stream.
I want to tunnel it by IP or translate a group of URLs to IPs I'm not sure
if this is the case that you mentioned,
Because I can do it before squid handles TCP session initialization.
The issue here is as I said that I want bypass WSS and other stuff that
squid can't technically support for known list of IPs (or URLS).
Do you have any recommended configuration for this requirement?
Regards,
Ben
suddenly divert packets to other software mid-stream.
בתאריך יום ב׳, 25 במאי 2020 ב-9:56 מאת Amos Jeffries <
squid3 at treenet.co.nz>:
> On 21/05/20 3:49 am, Ben Goz wrote:
> > B.H.
> >
> > I'm using squid with c-icap module for specific content filtering. I
> > configured squid with ssl bump so website with WSS won't work on it as
> > mentioned on squid documentation. So for such URLs (with WSS) I need
> > bypassing squid. I read in some posts that squid doesn't fully supports
> > bypassing URLs and best way is to bypasses it via iptables.
> >
> > Eventually I redirects browser traffic to my proxy machine using local
> > machine proxy settings, and Its redirects traffic to my machine with IP
> > x.x.x.x port 3128.
> >
> > If I want to use the conservative iptables bypassing how should I config
> > my machine? and how iptables rules should looks like?
> >
>
> Since you are redirecting the traffic to Squid in the first place. All
> you have to do is *not* redirect the relevant traffic. See your firewall
> software documentation on how to configure that.
>
>
> The hard part is figuring out which traffic you want the proxy to
> service, and what to bypass given only a TCP SYN packet.
>
>
> Be aware that once a TCP SYN+ACK packet is delivered to accept the
> connection Squid *has* to service that TCP connection in its entirety.
> Such 'service' may mean terminating it without any traffic, tunneling it
> elsewhere, or full processing of the traffic.
> Either way Squid is the agent servicing it. You cannot have iptables
> suddenly divert packets to other software mid-stream.
>
>
> HTH
> Amos
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200525/4c91768c/attachment-0001.html>
More information about the squid-users
mailing list