<div dir="rtl"><div dir="ltr">B.H</div><div dir="ltr">>Tunneling it elsewhere,</div><div dir="ltr">Where can I tunnel it? and how can I configure my machine to support it?</div><div dir="ltr"><br></div><div dir="ltr">>You cannot have iptables suddenly divert packets to other software mid-stream.</div><div dir="ltr">I want to tunnel it by IP or translate a group of URLs to IPs I'm not sure if this is the case that you mentioned,</div><div dir="ltr">Because I can do it before squid handles TCP session initialization.</div><div dir="ltr"><br></div><div dir="ltr">The issue here is as I said that I want bypass WSS and other stuff that squid can't technically support for known list of IPs (or URLS).</div><div dir="ltr">Do you have any recommended configuration for this requirement?</div><div dir="ltr"><br></div><div dir="ltr">Regards,</div><div dir="ltr">Ben</div>suddenly divert packets to other software mid-stream.<br></div><br><div class="gmail_quote"><div dir="rtl" class="gmail_attr">בתאריך יום ב׳, 25 במאי 2020 ב-9:56 מאת Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 21/05/20 3:49 am, Ben Goz wrote:<br>
> B.H.<br>
> <br>
> I'm using squid with c-icap module for specific content filtering. I<br>
> configured squid with ssl bump so website with WSS won't work on it as<br>
> mentioned on squid documentation. So for such URLs (with WSS) I need<br>
> bypassing squid. I read in some posts that squid doesn't fully supports<br>
> bypassing URLs and best way is to bypasses it via iptables.<br>
> <br>
> Eventually I redirects browser traffic to my proxy machine using local<br>
> machine proxy settings, and Its redirects traffic to my machine with IP<br>
> x.x.x.x port 3128.<br>
> <br>
> If I want to use the conservative iptables bypassing how should I config<br>
> my machine? and how iptables rules should looks like?<br>
> <br>
<br>
Since you are redirecting the traffic to Squid in the first place. All<br>
you have to do is *not* redirect the relevant traffic. See your firewall<br>
software documentation on how to configure that.<br>
<br>
<br>
The hard part is figuring out which traffic you want the proxy to<br>
service, and what to bypass given only a TCP SYN packet.<br>
<br>
<br>
Be aware that once a TCP SYN+ACK packet is delivered to accept the<br>
connection Squid *has* to service that TCP connection in its entirety.<br>
Such 'service' may mean terminating it without any traffic, tunneling it<br>
elsewhere, or full processing of the traffic.<br>
Either way Squid is the agent servicing it. You cannot have iptables<br>
suddenly divert packets to other software mid-stream.<br>
<br>
<br>
HTH<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>