[squid-users] make URL bypass squid proxy

ngtech1ltd at gmail.com ngtech1ltd at gmail.com
Thu Jun 29 00:38:53 UTC 2023 

Hey Rob,

The first thing is to allow the domain in the http_acces just to be sure and use a basic deny all bottom line.
Let me try to simplify your squid.conf
In a link:
https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e

In plain text:
## START OF FILE
# SSL Interception  basic rules
acl DiscoverSNIHost at_step SslBump1

acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$
acl NoSSLInterceptRegExFile ssl::server_name_regex "/usr/local/squid/etc/no-intercept-ssl-regex.txt"

acl NoSSLInterceptDstDom ssl::server_name .redshift3d.com
acl NoSSLInterceptDstDomFile ssl::server_name "/usr/local/squid/etc/no-intercept-ssl-dstdom.txt"

## Any of will test what ever rule match first in a first match/hit fasion
acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile

ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLInterceptAnyOf
ssl_bump bump all

#SSL Bump port
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB

## http_access acls, will apply on incomming requests and not on responses
acl special_url_regex url_regex https?://(^|.*\.)redshift3d\.com\/
acl special_url_regex_file url_regex "/usr/local/squid/etc/special_url_regex.txt"

acl special_url_dst_dom dstdomain .redshift3d.com
acl special_url_dst_dom_file dstdomain "/usr/local/squid/etc/special_url_dstdom.txt"

acl special_url_any_of any-of special_url_dst_dom special_url_dst_dom_file special_url_regex special_url_regex_file

acl localnet src 192.168.0.0/16
acl localnet src 10.0.0.0/8

http_access allow localnet special_url_any_of
http_access deny all
## END OF FILE

 Once the above will work try to add other http_access rule like reply access rules

Let me know what happens,
Eliezer

From: robert k Wild <robertkwild at gmail.com> 
Sent: Tuesday, June 27, 2023 09:36
To: ngtech1ltd at gmail.com
Cc: Squid Users <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] make URL bypass squid proxy

Hi Eliezer,

this is a snippet of my whitelist and no intercept SSL config

#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
#
#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
#
#deny up MIME types
acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
#deny URL links
acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
#
#deny down MIME types
acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
http_reply_access allow special_url
http_reply_access deny downmime
#http_access deny upmime
#http_access deny url_links
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
#
http_access allow activation whitelist
http_access deny all

so basically no SSL interception

#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all 

and whitelisting

#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt" 

in both txt files ie

/usr/local/squid/etc/interceptssl.txt 
/usr/local/squid/etc/urlwhite.txt 

i have a URL that first i have to whitelist and then if i want squid not to inspect the url traffic i put it in the SSL interception (i do this as some websites dont like MITM )

but even putting the URL in question in both files im still having issues with this website ie its still being detected that its passing through a proxy

thanks,
rob

On Mon, 26 Jun 2023 at 23:35, <mailto:ngtech1ltd at gmail.com> wrote:
Hey Robert,
 
I am not sure what forward proxy setup you have there.
A simple forward proxy?
What tool are you using for whitelisting?
You can use an external acl helper to allow dynamic updates of the whitelists or
to periodic update your lists and reload.
It will depend on the size of your lists.
What OS are you using for your squid proxy?
 
More details will help us help you.
 
Eliezer
 
From: squid-users <mailto:squid-users-bounces at lists.squid-cache.org> On Behalf Of robert k Wild
Sent: Monday, June 26, 2023 22:25
To: Squid Users <mailto:squid-users at lists.squid-cache.org>
Subject: [squid-users] make URL bypass squid proxy
 
hi all,
 
i have set up squid for url whitelisting and no intercept SSL (see below)
 
https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts
 
but some websites i want the client to bypass the squid proxy and go straight to the website as i think this is why a url isnt working even when i add the url to both files ie urlwhite and no intercept SSL
 
 
 
thanks,
rob

-- 
Regards, 

Robert K Wild.


-- 
Regards, 

Robert K Wild.

More information about the squid-users mailing list