Squid blocking app's web socket to 127.0.0.1?

AR15USR

I have an application that uses a browser plugin that is being blocked by Squid. The app is a password manager, 1Password. Please see their explanation below. Question is, how do I bypass the proxy for 127.0.0.1 for my local machine only as stated by their support? I tried the method in their link below but it is not working. Second question, should one even do this, is it safe?

1Passwords support response:

It is possible the following page *may* help.

https://support.1password.com/configure-os-x-proxy/

It will show you how to whitelist or bypass the proxy for communication destined for the localhost but more specifically 127.0.0.1 which we find isn't always included in the definition of localhost.

Now it may only help and the reason is that there are times where OS X will ignore the bypass list. In this cases it means the server supplying the proxy configuration needs to whitelist 127.0.0.1, quite likely a tougher one to solve unless we're talking about a request to a local IT team.

The reason we're affected is that the 1Password Browser Extension uses a WebSocket to communicate with 1Password mini and uses the address 127.0.0.1 to do so. No messages ever leave the machine but there are many categories of software that by default don't exclude localhost and the result is we're blocked.

Squids Realtime Log:

27.06.2016 05:46:53	192.168.1.5	TCP_DENIED/403	127.0.0.1:59488	-	-
27.06.2016 05:46:53	192.168.1.5	TCP_DENIED/403	127.0.0.1:55735	-	-
27.06.2016 05:46:53	192.168.1.5	TCP_DENIED/403	127.0.0.1:49806	-	-
27.06.2016 05:46:52	192.168.1.5	TCP_DENIED/403	127.0.0.1:46365	-	-
27.06.2016 05:46:52	192.168.1.5	TCP_DENIED/403	127.0.0.1:38156	-	-
27.06.2016 05:46:52	192.168.1.5	TCP_DENIED/403	127.0.0.1:25012	-	-
27.06.2016 05:46:52	192.168.1.5	TCP_DENIED/403	127.0.0.1:24866	-	-
27.06.2016 05:46:52	192.168.1.5	TCP_DENIED/403	127.0.0.1:14826

I'm running:
2.3.1-RELEASE-p5 (amd64)
built on Thu Jun 16 12:53:15 CDT 2016
FreeBSD 10.3-RELEASE-p3

Local machine is: OS X 10.11.5

AR15USR

Bump..

aGeekhere

What are your firewall rules? Looks like it is getting blocked by a rule, are you forcing your router to be the DNS server? , does this program use a DNS server other then your server?

AR15USR

Screenshots attached. I didn't add the block 80-443 rule because I have a machine that needs to bypass the proxy FYI.

Nachtfalke

Depends on what squid mode you are using.

transparent mode - then just add 127.0.0.1 to "bypass proxy for these destination IP"
non-transparent mode - then add this IP address 127.0.0.1 to your PROXY.PAC file or configure your browser to bypass this destination IP address.

AR15USR

@Nachtfalke:

non-transparent mode - then add this IP address 127.0.0.1 to your PROXY.PAC file or configure your browser to bypass this destination IP address.

What code exactly do I use for that?
Here is what I currently have:

function FindProxyForURL(url, host) 
{ 
    if (isPlainHostName(host) ||
        shExpMatch(host, "*.local") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
        return "DIRECT";

        if (isInNet(dnsResolve(host), "192.168.2.0",  "255.255.255.0" ))
        { return "DIRECT"; }

    return "PROXY 192.168.1.1:3128";
} 

Nachtfalke

This could help:

    if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
        isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
        isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
        isInNet(dnsResolve(host), "169.254.0.0", "255.255.0.0") ||
        isInNet(dnsResolve(host), "240.0.0.0", "240.0.0.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.0.0.0"))
    {
    return "DIRECT";
    }

or

    if (shExpMatch(host, "*.local") ||
		shExpMatch(host, "*.localhost") ||
		shExpMatch(host, "127.0.0.1"))
    {
    return "DIRECT";
    }

And I would always use this on top:

// Normalize the URL for pattern macthing
url = url.toLowerCase();
host = host.toLowerCase();

AR15USR

@Nachtfalke:

This could help:

    if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
        isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
        isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
        isInNet(dnsResolve(host), "169.254.0.0", "255.255.0.0") ||
        isInNet(dnsResolve(host), "240.0.0.0", "240.0.0.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.0.0.0"))
    {
    return "DIRECT";
    }

or

    if (shExpMatch(host, "*.local") ||
		shExpMatch(host, "*.localhost") ||
		shExpMatch(host, "127.0.0.1"))
    {
    return "DIRECT";
    }

And I would always use this on top:

// Normalize the URL for pattern macthing
url = url.toLowerCase();
host = host.toLowerCase();

Thanks Nachtfalke, this seems to have worked. I don't see it in my Squid logs anymore. I still see it in the firewall logs but its not being blocked now..

AR15USR

OK, so its been a couple months and this is still working great except for the firewall log entries. They are taking up about 50% of my log at this point.  Do you know how to stop the logging of it?

Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:64605	  127.0.0.1:53	UDP
Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:64605	  127.0.0.1:53	UDP
Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:44799	  127.0.0.1:53	UDP
Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:44799	  127.0.0.1:53	UDP
Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:11717	  127.0.0.1:53	UDP
Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:11717	  127.0.0.1:53	UDP
Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:4938	  127.0.0.1:53	UDP
Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:4938	  127.0.0.1:53	UDP
Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:27865	  127.0.0.1:53	UDP
Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:27865	  127.0.0.1:53	UDP
Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:15276	  127.0.0.1:53	UDP
Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:15276	  127.0.0.1:53	UDP
Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:61394	  127.0.0.1:53	UDP
Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:61394	  127.0.0.1:53	UDP
Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:63615	  127.0.0.1:53	UDP
Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:63615	  127.0.0.1:53	UDP
Sep 2 05:45:02	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:58802	  127.0.0.1:53	UDP
Sep 2 05:45:02	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:58802	  127.0.0.1:53	UDP
Sep 2 05:45:02	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:1871	  127.0.0.1:53	UDP
Sep 2 05:45:02	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:1871	  127.0.0.1:53	UDP

Nachtfalke

Status –> System Logs --> Settings
Dsiable "Log packets matched from the default pass rules put in the ruleset"

OR

Create a specific Firewall rule with destination "127.0.0.1" , action=allow and port=any and source=any and siable logging.
So traffic will match this specific rule and will be allowed but not logged.

AR15USR

@Nachtfalke:

Status –> System Logs --> Settings
Dsiable "Log packets matched from the default pass rules put in the ruleset"

OR

Create a specific Firewall rule with destination "127.0.0.1" , action=allow and port=any and source=any and siable logging.
So traffic will match this specific rule and will be allowed but not logged.

Well, your first suggestion stops all pass logging it seems. The second suggestion didn't work. I'm guessing since the traffic is on the lo0 interface?