[squid-users] Allow some domains to bypass Squid
Eliezer Croitoru
eliezer at ngtech.co.il
Mon Mar 12 05:58:37 UTC 2018
Hey Nicolas,
If you are running a squid which doesn't have a mandatory rule of "Block first and then allow" or what in the security industry will be named "up-tight" then Yuri solution is the right path.
But... as a rule of thumb, if you don't need to pass the traffic into the proxy software don’t and allow or block whatever you can on the OS firewall level.
I wrote couple example bypass scripts:
https://gist.github.com/elico/e0faadf0cc63942c5aaade808a87deef
https://gist.github.com/elico/a54c2c8f8e1a2407b42210896b960f4b
For a non router\proxy linux system:
https://gist.github.com/elico/f21dae7a34e1736f56a1995977852460
The above examples are good for pre-known domains similar to the script you wrote in your blog but it gives some form of dynamics to the firewall rules.
I believe that the best formula is to combine both squid splice with ipset and domains resolution and the bypass rules.
Using squid you will be able to splice domains automatically and with a daily log analysis of squid access.log files you might be able to find new domains that you can add into your firewall level bypassed domains.
Let me know if it sounds good and it worth a wiki article.
Eliezer
----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il
-----Original Message-----
From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On Behalf Of Nicolas Kovacs
Sent: Sunday, March 11, 2018 10:07
To: squid-users at lists.squid-cache.org
Subject: [squid-users] Allow some domains to bypass Squid
Hi,
I have Squid setup as a transparent HTTP+HTTPS proxy in my local
network, using SSL-Bump.
The configuration works quite nicely, according to
/var/log/squid/cache.log and /var/log/squid/access.log.
This being said, I am having trouble with a handful of domains like
Github, or my OwnCloud installation. I have an OwnCloud server installed
at https://cloud.microlinux.fr, and everytime I fire up a client, I have
to confirm the use of an untrusted certificate. And on my workstation, I
can't connect to my Github repository anymore. Here's the error I get.
# git pull
fatal: unable to access 'https://github.com/kikinovak/centos-
7-desktop-kde/': Peer's certificate issuer has been marked as not
trusted by the user.
So I thought the best thing to do is to create an exception for this
handful of domains with issues.
Can I configure some domains to simply bypass the proxy in my current
(transparent) setup? Ideally, the configuration should be able to read a
simple text file containing said domains, something like
/etc/squid/bypass-these-domains.txt. And then these bypass the proxy and
get treated regularly, as if there was no proxy?
Cheers,
Niki
--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list