Allow .exe through squid proxy

marcelloc

if it's on a single machine, just allow it's ip.

Are you using transparent proxy?

mrsquash2

Yes, I am using transparent proxy.

The .exe file is on about 60 machines so I would like to let the .exe pass through the proxy for all systems on my domain.

marcelloc

if your change your .exe file to fetch it via https, it will not be filtered by squid.

mrsquash2

Unfortunately, the .exe is part of a distributed package from a 3rd party vendor. Therefore I cannot alter their software.

Nachtfalke

you can bypass the proxy for a destination IP.
So if your exe is connecting to always the same IP (range) then add this to the bypass list on squid GUI.

mrsquash2

Isn't the bypass list something that allows an internal client to bypass the proxy all together?

The only thing I have found so far to test is:

edit the squid.inc file

$rules .= "\n# Setup Squid proxy redirect\n";
if ($squid_conf['private_subnet_proxy_off'] == 'on') {
foreach ($ifaces as $iface) {
$rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 166.73.20.226/32, 166.73.20.167/32, 166.73.20.43/32, 66.238.16.200/32 } port 80\n";

marcelloc

this rule says to do not forward traffic to squid for these ips

Nachtfalke

@mrsquash2:

Isn't the bypass list something that allows an internal client to bypass the proxy all together?
(…)

It depends on what you allow to bypass. You can bypass the proxy by SOURCE IP or you can bypass the proxy by DESTINATION IP.

If you allow by SOURCE IP you are right, the host will bypass the proxy at all.
That's why I said you should use DESTINATION IP. Then the proxy will only be bypassed for this dest. IP but all other IPs must pass the proxy.

mrsquash2

When I go to Services > Proxy Server I have the option "Bypass proxy for these source IPs" with a description of "Do not forward traffic from these source IPs through the proxy server but directly through the firewall. Separate by semi-colons (;)."

Are you saying that I can put DESTINATION IPs in here as well?

marcelloc

@mrsquash2:

Are you saying that I can put DESTINATION IPs in here as well?

Isn't the next field ..Bypass proxy for these destination IPs ?
Do not proxy traffic going to these destination IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]

mrsquash2

I don't have that option.

I'm using:

Squid v2.7.8_1
SquidGuard v1.3-2
Lightsquid v1.7.1 pkg v.1.2

Do I need to upgrade to a newer version?

marcelloc

@mrsquash2:

Do I need to upgrade to a newer version?

It's on both squid versions (2.7.9 pkg v.4.3.1 and 3.1.20 pkg 2.0.5_5) on first package gui tab for a long time.

mrsquash2

Upgraded to 2.7.9 pkg v.4.3.1 and added the IP DESTINATION bypass.

All seems to be working now.

Thanks!