[squid-users] Allow some domains to bypass Squid

Amos Jeffries squid3 at treenet.co.nz
Sun Mar 11 11:31:04 UTC 2018


On 11/03/18 23:54, Nicolas Kovacs wrote:
> Le 11/03/2018 à 11:17, Amos Jeffries a écrit :
>> The process is not getting anywhere close to caching being relevant. The
>> error you mentioned earlier is in the TLS handshake part of the process.
> 
> I've experimented some more, and I have a partial success. Here, I'm
> redirecting all HTTPS traffic *except* the one that goes to my bank:
> 
> iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d
> www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129
> 
> This works because my bank is hosted on a single IP. As soon as I
> replace that with a domain that's hosted on multiple IP's, I get this:
> 
> iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com
> --dport 443 -j REDIRECT --to-port 3129
> 
> # firewall.sh
> iptables v1.4.21: ! not allowed with multiple source or destination IP
> addresses
> 
> So my question is: how can I write an iptables rule (or series of rules)
> that redirect all traffic to my proxy, *except* the one going to
> <list_of_domains> ?

The whois system can provide info on the IP ranges owned by the
companies like Google which own their own ranges.


The alternative for ssl-bump is the splice action. For that you only
need to know the server names each company uses.

Amos


More information about the squid-users mailing list