[squid-users] Allow some domains to bypass Squid

Nicolas Kovacs info at microlinux.fr
Sun Mar 11 10:54:38 UTC 2018


Le 11/03/2018 à 11:17, Amos Jeffries a écrit :
> The process is not getting anywhere close to caching being relevant. The
> error you mentioned earlier is in the TLS handshake part of the process.

I've experimented some more, and I have a partial success. Here, I'm
redirecting all HTTPS traffic *except* the one that goes to my bank:

iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d
www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129

This works because my bank is hosted on a single IP. As soon as I
replace that with a domain that's hosted on multiple IP's, I get this:

iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com
--dport 443 -j REDIRECT --to-port 3129

# firewall.sh
iptables v1.4.21: ! not allowed with multiple source or destination IP
addresses

So my question is: how can I write an iptables rule (or series of rules)
that redirect all traffic to my proxy, *except* the one going to
<list_of_domains> ?

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32


More information about the squid-users mailing list