Having a whitelist of domains which should bypass squid

steenbras · Sep 15, 2008, 9:17 AM

Squid performs a DNS lookup on all requests, forcing them to the server identified in its DNS server. This makes it impossible to "spoof" the domain using a local hosts entry on the client. There are legitimate reasons for wanting to be able to do this, particularly in web development where you want to test production configuration on a test server by pointing your www.mydomain.com domain to the test server IP.

I understand the concerns about cache poisoning, so I would want this whitelist not to be cached. But telling squid not to cache a domain still pushes it through the DNS lookup always referring the request to the production server IP. I also would like to this list to be controlled by an administrator, so am happy for it to be part of the squid configuration, or some sort of rule on the proxy itself.

Can anyone help me try to set this up? I've tried a few things, and some suggestions that I received on the squid-users mailing list, but with no luck.

Thanks

rocky · Sep 15, 2008, 10:17 AM

I think the problem is only related to DNS, not squid (???)

Have you ever tried to add some static entries in pfSense Gui / Services / DNS (forwarder) ?? These entries allow you to override the results of DNS lookup. And this helps you to have
foobar.your-any-domain.com
pointed to a local ip

Good luck!

steenbras · Sep 15, 2008, 12:28 PM

That's a nice suggestion, but not absolutely what I'm after. Here's a realistic scenario.

Domain is www.foo.com. Live IP is 111.222.333.444

The product manager views the site at the live IP. Developers want to be able to test on their own machines, so they configure hosts so that www.foo.com resolves to 127.0.0.1. When they're ready to move to integration testing they set their hosts file to read 111.222.333.555. A tester will be viewing a release candidate version of the site by setting their hosts file to 111.222.333.666. I'm sure you get the idea.

So at any one time, we would potentially need to be able to resolve www.foo.com to any one of 4 different IPs, depending on the client making the request. Doing this on local hosts files is nice and easy; doing it as a DNS forward override is an all-or-nothing approach.

So I'm back to my original question - can squid be configured to effectively remove itself from processing certain domains, or could I even set up some firewall rules to divert around squid?

rocky · Sep 15, 2008, 2:02 PM

In reality squid allows you to do that. When using pfSense you may find some options in

WebGUI / Services / Proxy server / Access control / Whitelist

The domains from the whilelist will be accessable to the users that are allowed to use the proxy. (though they may still be block by squidGuard).

I don't know if it solves your problem. At least it's the anwser for you topic's title.

So at any one time, we would potentially need to be able to resolve www.foo.com to any one of 4 different IPs, depending on the client making the request. Doing this on local hosts files is nice and easy; doing it as a DNS forward override is an all-or-nothing approach.

I currenlty have no idea for this!