[squid-users] make URL bypass squid proxy

Alex Rousskov rousskov at measurement-factory.com
Tue Jun 27 20:51:10 UTC 2023 

On 6/27/23 16:29, robert k Wild wrote:
> Ok I've literally commented out "http deny all" so the proxy isn't 
> blocking anything and allowing everything
> 
> http_access allow activation whitelist
> #http_access deny all
> 
> And still it's not allowing this specific URL to go through the proxy
> 
> activate.redshift3d.com <http://activate.redshift3d.com>
> 
> Well it is but it isn't, as it's an activation URL it isn't activating 
> the app via the proxy, as soon as I pop the pc on the internet, it 
> activates the app
> 
> Any ideas guys?

If you have not already, restore the "deny all" rule and make sure that 
everything works if you do not bump traffic. Use just "http_port 3128" 
if you have to, without the ssl-bump flag and related ssl_bump rules.

Once the above is working, I would check whether your app trusts your CA 
certificate (/usr/local/squid/etc/ssl_cert/myCA.pem). If you have not 
done anything about that trust on the app side, then that app will not 
trust it, and all bumped transactions will fail because the app will 
refuse to receive TLS traffic related to that certificate.

Add %err_code/%err_detail fields to your access.log using the logformat 
and access_log directives. They may help identify failed transactions.


HTH,

Alex.


> On Tue, 27 Jun 2023, 07:36 robert k Wild, <robertkwild at gmail.com 
> <mailto:robertkwild at gmail.com>> wrote:
> 
>     Hi Eliezer,
> 
>     this is a snippet of my whitelist and no intercept SSL config
> 
>     #SSL Interception
>     acl DiscoverSNIHost at_step SslBump1
>     acl NoSSLIntercept ssl::server_name_regex
>     "/usr/local/squid/etc/interceptssl.txt"
>     ssl_bump peek DiscoverSNIHost
>     ssl_bump splice NoSSLIntercept
>     ssl_bump bump all
>     #
>     #SSL Bump
>     http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem
>     generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
>     sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s
>     /var/lib/ssl_db -M 4MB
>     #
>     #deny up MIME types
>     acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"
>     #
>     #deny URL links
>     acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"
>     #
>     #allow special URL paths
>     acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
>     #
>     #deny down MIME types
>     acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
>     #
>     http_reply_access allow special_url
>     http_reply_access deny downmime
>     #http_access deny upmime
>     #http_access deny url_links
>     #
>     #HTTP_HTTPS whitelist websites
>     acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
>     #
>     http_access allow activation whitelist
>     http_access deny all
> 
>     so basically no SSL interception
> 
>     #SSL Interception
>     acl DiscoverSNIHost at_step SslBump1
>     acl NoSSLIntercept ssl::server_name_regex
>     "/usr/local/squid/etc/interceptssl.txt"
>     ssl_bump peek DiscoverSNIHost
>     ssl_bump splice NoSSLIntercept
>     ssl_bump bump all
> 
>     and whitelisting
> 
>     #HTTP_HTTPS whitelist websites
>     acl whitelist ssl::server_name_regex
>     "/usr/local/squid/etc/urlwhite.txt"
> 
>     in both txt files ie
> 
>     /usr/local/squid/etc/interceptssl.txt
>     /usr/local/squid/etc/urlwhite.txt
> 
>     i have a URL that first i have to whitelist and then if i want squid
>     not to inspect the url traffic i put it in the SSL interception (i
>     do this as some websites dont like MITM )
> 
>     but even putting the URL in question in both files im still having
>     issues with this website ie its still being detected that its
>     passing through a proxy
> 
>     thanks,
>     rob
> 
>     On Mon, 26 Jun 2023 at 23:35, <ngtech1ltd at gmail.com
>     <mailto:ngtech1ltd at gmail.com>> wrote:
> 
>         Hey Robert,____
> 
>         __ __
> 
>         I am not sure what forward proxy setup you have there.____
> 
>         A simple forward proxy?____
> 
>         What tool are you using for whitelisting?____
> 
>         You can use an external acl helper to allow dynamic updates of
>         the whitelists or
>         to periodic update your lists and reload.
>         It will depend on the size of your lists.
>         What OS are you using for your squid proxy?____
> 
>         __ __
> 
>         More details will help us help you.____
> 
>         __ __
> 
>         Eliezer____
> 
>         __ __
> 
>         *From:*squid-users <squid-users-bounces at lists.squid-cache.org
>         <mailto:squid-users-bounces at lists.squid-cache.org>> *On Behalf
>         Of *robert k Wild
>         *Sent:* Monday, June 26, 2023 22:25
>         *To:* Squid Users <squid-users at lists.squid-cache.org
>         <mailto:squid-users at lists.squid-cache.org>>
>         *Subject:* [squid-users] make URL bypass squid proxy____
> 
>         __ __
> 
>         hi all,____
> 
>         __ __
> 
>         i have set up squid for url whitelisting and no intercept SSL
>         (see below)____
> 
>         __ __
> 
>         https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts <https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts>____
> 
>         __ __
> 
>         but some websites i want the client to bypass the squid proxy
>         and go straight to the website as i think this is why a url isnt
>         working even when i add the url to both files ie urlwhite and no
>         intercept SSL____
> 
>         __ __
> 
>         __ __
> 
>         __ __
> 
>         thanks,____
> 
>         rob____
> 
> 
>         -- ____
> 
>         Regards,
> 
>         Robert K Wild.____
> 
> 
> 
>     -- 
>     Regards,
> 
>     Robert K Wild.
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list