Bypass transparent proxy selective - RESOLVED

dhipo

i want setup transparent proxy to all clients … this is really easy on squid package.... but here in Brazil some S#1t banks are using proprietary protocols on port 80 ... then i need do an rule to bypass squid transparent proxy when destination is to that sites ... anybody knows haow can o do this ?

mhab12

Have you tried the 'do not cache' feature.  That might help but I believe the traffic will still flow through Squid on port 80, thereby getting dropped since it isn't HTTP…worth a try.

dhipo

yeap … i tried "do not cache"  with no success...

i think what the way is ...

catch all traffic to port 80, except to that sites, and redirect to squid.
traffic to that sites must pass directly..
but i can't see the way to do this in interface.
helps are welcome

dhipo

success … i did an simple hacking on squid.inc and now some sites are not catched by transparent proxy

this is the hacking ...
i changed the line
$rules .= "rdr on $iface proto tcp from any to ! ($iface) port 80 -> 127.0.0.1 port 80\n";
to this
$rules .= "rdr on $iface proto tcp from any to ! <mydirectsites> port 80 -> 127.0.0.1 port 80\n";

where mydirectsites is an aliases creates on gui and must contains the lan internal address and ip addresses of sites to not pass on squid …. in this mode i create an rule to permit traffic to port 80 of sites on mydirectsites

Speck

Hi, i tried your hack on my 1.2 release platform.

It does not work if I try to use an alias  ???

i can make this work if i specify the IP address instead of $iface, but not with alias…

any idea? is the <alias>expression right?

Thanks,

bye
Speck</alias>

dhipo

ok ..

i will try in single steps

1-  in the pfsense GUI  goto Firewall -> Aliases  and create an alias with name DirectSites , take a look on cases, and insert the LAN address in the networks list with the format 192.168.1.1/32
2- drop to the pfsense console menu option 8, and go to /usr/local/pkg
3- edit file squid.inc  and search for the line
$rules .= "rdr on $iface proto tcp from any to ! ($iface) port 80 -> 127.0.0.1 port 80\n";
to this
$rules .= "rdr on $iface proto tcp from any to ! <directsites>port 80 -> 127.0.0.1 port 80\n";
save
5- in pfsense GUI create a rule to permit traffic from LAN Subnet to alias DirectSites on port 80/443
6 - hit Save button on proxy server menu</directsites>

pfman

For some  reason, it does not work for me …..
I've followed your steps and squid + squidGuard still intercept the traffic ..... very frustrating ..
I even tried to add "always_direct" option but still have not been able to bypass squid + squidguard altogether.

any suggestion will help

T

lordarcane

I have the need of a feature quite like this on. In need squid to not catch traffic from all ip´s in my lan to some sites. As I have understood your hack, you take traffic from some internal ip´s to some external sites? Correct?

So, do you have any tips on how to make some sites to not go throught the proxy for some destination sites?

mhab12

The new version of the squid package has a 'Do Not Proxy' field where you can enter local client IPs that should bypass the proxy altogether.  That is not the focus of this post.  The method mentioned above allows traffic TO certain DESTINATION sties to bypass the proxy, not FROM certain clients.

lordarcane

Yea, but that is exactly what I want. To let traffic from all ip´s TO some sites bypass the proxy! And, the hack did not seem to do it. Since i would like to use something like this

catch everything but
    if destinatio is "www.google.se" then bypass the proxy

itsmorefun

Also note that Squid bypass firewall rules:
        case 'filter':
                foreach ($ifaces as $iface){
                        $rules .= "# Setup squid pass rules for proxy\n";
                        $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
                        $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";
                        $rules .= "\n";
                        };

http://forum.pfsense.org/index.php/topic,14607.msg77308.html#msg77308

lordarcane

It really would be supersimple to just have a list in the GUI for adresses not to be forwarded through the proxy when running transparent.

Catch everything but the sites in the list. =)

sussox

I to managed to get the proxy-bypass working with this hack. Thanks for the tip! However, it would be VERY nice to have a GUI-option that does the same thing in a "legit" way. I guess this hack will break when i upgrade squid etc..

mhab12

squid.conf is rebuilt from squid.inc on each boot.  If you make your changes to squid.inc, everything should "stick".