[squid-users] Bypass squid using iptables

Amos Jeffries squid3 at treenet.co.nz
Mon May 25 06:54:43 UTC 2020


On 21/05/20 3:49 am, Ben Goz wrote:
> B.H.
> 
> I'm using squid with c-icap module for specific content filtering. I
> configured squid with ssl bump so website with WSS won't work on it as
> mentioned on squid documentation. So for such URLs (with WSS) I need
> bypassing squid. I read in some posts that squid doesn't fully supports
> bypassing URLs and best way is to bypasses it via iptables.
> 
> Eventually I redirects browser traffic to my proxy machine using local
> machine proxy settings, and Its redirects traffic to my machine with IP
> x.x.x.x port 3128.
> 
> If I want to use the conservative iptables bypassing how should I config
> my machine? and how iptables rules should looks like?
> 

Since you are redirecting the traffic to Squid in the first place. All
you have to do is *not* redirect the relevant traffic. See your firewall
software documentation on how to configure that.


The hard part is figuring out which traffic you want the proxy to
service, and what to bypass given only a TCP SYN packet.


Be aware that once a TCP SYN+ACK packet is delivered to accept the
connection Squid *has* to service that TCP connection in its entirety.
Such 'service' may mean terminating it without any traffic, tunneling it
elsewhere, or full processing of the traffic.
 Either way Squid is the agent servicing it. You cannot have iptables
suddenly divert packets to other software mid-stream.


HTH
Amos


More information about the squid-users mailing list