[squid-users] make URL bypass squid proxy
ngtech1ltd at gmail.com
ngtech1ltd at gmail.com
Thu Jun 29 00:38:53 UTC 2023
Hey Rob,
The first thing is to allow the domain in the http_acces just to be sure and use a basic deny all bottom line.
Let me try to simplify your squid.conf
In a link:
https://gist.github.com/elico/b49f4a28d4b5db5ba882b10d40872d5e
In plain text:
## START OF FILE
# SSL Interception basic rules
acl DiscoverSNIHost at_step SslBump1
acl NoSSLInterceptRegEx ssl::server_name_regex (^|.*\.)redshift3d\.com$
acl NoSSLInterceptRegExFile ssl::server_name_regex "/usr/local/squid/etc/no-intercept-ssl-regex.txt"
acl NoSSLInterceptDstDom ssl::server_name .redshift3d.com
acl NoSSLInterceptDstDomFile ssl::server_name "/usr/local/squid/etc/no-intercept-ssl-dstdom.txt"
## Any of will test what ever rule match first in a first match/hit fasion
acl NoSSLInterceptAnyOf any-of NoSSLInterceptDstDom NoSSLInterceptDstDomFile NoSSLInterceptRegEx NoSSLInterceptRegExFile
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLInterceptAnyOf
ssl_bump bump all
#SSL Bump port
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
## http_access acls, will apply on incomming requests and not on responses
acl special_url_regex url_regex https?://(^|.*\.)redshift3d\.com\/
acl special_url_regex_file url_regex "/usr/local/squid/etc/special_url_regex.txt"
acl special_url_dst_dom dstdomain .redshift3d.com
acl special_url_dst_dom_file dstdomain "/usr/local/squid/etc/special_url_dstdom.txt"
acl special_url_any_of any-of special_url_dst_dom special_url_dst_dom_file special_url_regex special_url_regex_file
acl localnet src 192.168.0.0/16
acl localnet src 10.0.0.0/8
http_access allow localnet special_url_any_of
http_access deny all
## END OF FILE
Once the above will work try to add other http_access rule like reply access rules
Let me know what happens,
Eliezer
From: robert k Wild <robertkwild at gmail.com>
Sent: Tuesday, June 27, 2023 09:36
To: ngtech1ltd at gmail.com
Cc: Squid Users <squid-users at lists.squid-cache.org>
Subject: Re: [squid-users] make URL bypass squid proxy
Hi Eliezer,
this is a snippet of my whitelist and no intercept SSL config
#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
#
#SSL Bump
http_port 3128 ssl-bump cert=/usr/local/squid/etc/ssl_cert/myCA.pem generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
sslcrtd_program /usr/local/squid/libexec/security_file_certgen -s /var/lib/ssl_db -M 4MB
#
#deny up MIME types
acl upmime req_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
#deny URL links
acl url_links url_regex "/usr/local/squid/etc/linksurl.txt"
#
#allow special URL paths
acl special_url url_regex "/usr/local/squid/etc/urlspecial.txt"
#
#deny down MIME types
acl downmime rep_mime_type "/usr/local/squid/etc/mimedeny.txt"
#
http_reply_access allow special_url
http_reply_access deny downmime
#http_access deny upmime
#http_access deny url_links
#
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
#
http_access allow activation whitelist
http_access deny all
so basically no SSL interception
#SSL Interception
acl DiscoverSNIHost at_step SslBump1
acl NoSSLIntercept ssl::server_name_regex "/usr/local/squid/etc/interceptssl.txt"
ssl_bump peek DiscoverSNIHost
ssl_bump splice NoSSLIntercept
ssl_bump bump all
and whitelisting
#HTTP_HTTPS whitelist websites
acl whitelist ssl::server_name_regex "/usr/local/squid/etc/urlwhite.txt"
in both txt files ie
/usr/local/squid/etc/interceptssl.txt
/usr/local/squid/etc/urlwhite.txt
i have a URL that first i have to whitelist and then if i want squid not to inspect the url traffic i put it in the SSL interception (i do this as some websites dont like MITM )
but even putting the URL in question in both files im still having issues with this website ie its still being detected that its passing through a proxy
thanks,
rob
On Mon, 26 Jun 2023 at 23:35, <mailto:ngtech1ltd at gmail.com> wrote:
Hey Robert,
I am not sure what forward proxy setup you have there.
A simple forward proxy?
What tool are you using for whitelisting?
You can use an external acl helper to allow dynamic updates of the whitelists or
to periodic update your lists and reload.
It will depend on the size of your lists.
What OS are you using for your squid proxy?
More details will help us help you.
Eliezer
From: squid-users <mailto:squid-users-bounces at lists.squid-cache.org> On Behalf Of robert k Wild
Sent: Monday, June 26, 2023 22:25
To: Squid Users <mailto:squid-users at lists.squid-cache.org>
Subject: [squid-users] make URL bypass squid proxy
hi all,
i have set up squid for url whitelisting and no intercept SSL (see below)
https://wiki.squid-cache.org/ConfigExamples/Caching/AdobeProducts
but some websites i want the client to bypass the squid proxy and go straight to the website as i think this is why a url isnt working even when i add the url to both files ie urlwhite and no intercept SSL
thanks,
rob
--
Regards,
Robert K Wild.
--
Regards,
Robert K Wild.
More information about the squid-users
mailing list