[squid-users] Allow some domains to bypass Squid
Nishant Sharma
codemarauder at gmail.com
Mon Mar 12 06:01:56 UTC 2018
Hi Nicolas,
On Sunday 11 March 2018 05:35 PM, Nicolas Kovacs wrote:
> Le 11/03/2018 à 12:31, Amos Jeffries a écrit :
> OK, I got something that's starting to work.
>
> # Exceptions
> EXCEPTIONS=$(egrep -v '(^\#)|(^\s+$)' /usr/local/sbin/no-proxy.txt)
> for EXCEPTION in $EXCEPTIONS; do
> $IPT -A PREROUTING -t nat -i $IFACE_LAN -d $EXCEPTION -j ACCEPT
> done
The problem with this approach might be that domains are looked up for
their IPs at the time of rule creation and not at the time of request.
Since destinations like github.com, google.com, facebook etc use many
large pools of IPs, your rule might not match later in the day or after
a few days.
Better to use "ipset" along with dnsmasq and refer that ipset in the
iptables rule to match dst.
1. ipset create _ipsetname_ bitmap:ip
2. Configure dnsmasq to populate _ipsetname_ by adding following lines
for each domain to dnsmasq.conf:
ipset=/google.com/_ipsetname_
ipset=/github.com/_ipsetname_
...
...
3. Use dnsmasq as resolver-cache on your proxy machine and ensure that
squid uses your dnsmasq for DNS queries.
4. Add intercept iptables rules to not NAT the traffic to destination
ipset:
iptables -A PREROUTING -t nat -i $IFACE_LAN -m set --match-set
_ipsetname_ dst -j ACCEPT
Dnsmasq will keep populating the ipset as and when a resolution request
is received for the matched domains. An ipset can hold 65534 entries.
I use this approach extensively to allow Anti-Virus and Windows updates
to the machines which otherwise are not allowed to access Internet
directly without configuring explicit proxy or through proxy.pac/wpad.
Regards,
Nishant
More information about the squid-users
mailing list