Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid blocking app's web socket to 127.0.0.1?

    Scheduled Pinned Locked Moved Cache/Proxy
    11 Posts 3 Posters 22.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AR15USR
      last edited by

      I have an application that uses a browser plugin that is being blocked by Squid. The app is a password manager, 1Password. Please see their explanation below. Question is, how do I bypass the proxy for 127.0.0.1 for my local machine only as stated by their support? I tried the method in their link below but it is not working. Second question, should one even do this, is it safe?

      1Passwords support response:

      It is possible the following page *may* help.
      
      https://support.1password.com/configure-os-x-proxy/
      
      It will show you how to whitelist or bypass the proxy for communication destined for the localhost but more specifically 127.0.0.1 which we find isn't always included in the definition of localhost.
      
      Now it may only help and the reason is that there are times where OS X will ignore the bypass list. In this cases it means the server supplying the proxy configuration needs to whitelist 127.0.0.1, quite likely a tougher one to solve unless we're talking about a request to a local IT team.
      
      The reason we're affected is that the 1Password Browser Extension uses a WebSocket to communicate with 1Password mini and uses the address 127.0.0.1 to do so. No messages ever leave the machine but there are many categories of software that by default don't exclude localhost and the result is we're blocked.
      
      

      Squids Realtime Log:

      
      27.06.2016 05:46:53	192.168.1.5	TCP_DENIED/403	127.0.0.1:59488	-	-
      27.06.2016 05:46:53	192.168.1.5	TCP_DENIED/403	127.0.0.1:55735	-	-
      27.06.2016 05:46:53	192.168.1.5	TCP_DENIED/403	127.0.0.1:49806	-	-
      27.06.2016 05:46:52	192.168.1.5	TCP_DENIED/403	127.0.0.1:46365	-	-
      27.06.2016 05:46:52	192.168.1.5	TCP_DENIED/403	127.0.0.1:38156	-	-
      27.06.2016 05:46:52	192.168.1.5	TCP_DENIED/403	127.0.0.1:25012	-	-
      27.06.2016 05:46:52	192.168.1.5	TCP_DENIED/403	127.0.0.1:24866	-	-
      27.06.2016 05:46:52	192.168.1.5	TCP_DENIED/403	127.0.0.1:14826
      

      I'm running:
      2.3.1-RELEASE-p5 (amd64)
      built on Thu Jun 16 12:53:15 CDT 2016
      FreeBSD 10.3-RELEASE-p3

      Local machine is: OS X 10.11.5


      2.6.0-RELEASE

      1 Reply Last reply Reply Quote 0
      • A
        AR15USR
        last edited by

        Bump..


        2.6.0-RELEASE

        1 Reply Last reply Reply Quote 0
        • A
          aGeekhere
          last edited by

          What are your firewall rules? Looks like it is getting blocked by a rule, are you forcing your router to be the DNS server? , does this program use a DNS server other then your server?

          Never Fear, A Geek is Here!

          1 Reply Last reply Reply Quote 0
          • A
            AR15USR
            last edited by

            Screenshots attached. I didn't add the block 80-443 rule because I have a machine that needs to bypass the proxy FYI.

            ScreenShot-07.png
            ScreenShot-06.png_thumb
            ScreenShot-06.png
            ScreenShot-05.png_thumb
            ScreenShot-05.png
            ScreenShot-04.png_thumb
            ScreenShot-04.png
            ScreenShot-03.png_thumb
            ScreenShot-02.png_thumb
            ScreenShot-02.png
            ScreenShot-01.png_thumb
            ScreenShot-03.png
            ScreenShot-01.png
            ScreenShot-07.png_thumb


            2.6.0-RELEASE

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              Depends on what squid mode you are using.

              transparent mode - then just add 127.0.0.1 to "bypass proxy for these destination IP"
              non-transparent mode - then add this IP address 127.0.0.1 to your PROXY.PAC file or configure your browser to bypass this destination IP address.

              1 Reply Last reply Reply Quote 0
              • A
                AR15USR
                last edited by

                @Nachtfalke:

                non-transparent mode - then add this IP address 127.0.0.1 to your PROXY.PAC file or configure your browser to bypass this destination IP address.

                What code exactly do I use for that?
                Here is what I currently have:

                function FindProxyForURL(url, host) 
                { 
                    if (isPlainHostName(host) ||
                        shExpMatch(host, "*.local") ||
                        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0"))
                        return "DIRECT";
                
                        if (isInNet(dnsResolve(host), "192.168.2.0",  "255.255.255.0" ))
                        { return "DIRECT"; }
                
                    return "PROXY 192.168.1.1:3128";
                } 
                

                2.6.0-RELEASE

                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke
                  last edited by

                  This could help:

                  
                      if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
                          isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
                          isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
                          isInNet(dnsResolve(host), "169.254.0.0", "255.255.0.0") ||
                          isInNet(dnsResolve(host), "240.0.0.0", "240.0.0.0") ||
                          isInNet(dnsResolve(host), "127.0.0.0", "255.0.0.0"))
                      {
                      return "DIRECT";
                      }
                  
                  

                  or

                  
                      if (shExpMatch(host, "*.local") ||
                  		shExpMatch(host, "*.localhost") ||
                  		shExpMatch(host, "127.0.0.1"))
                      {
                      return "DIRECT";
                      }
                  
                  

                  And I would always use this on top:

                  
                  // Normalize the URL for pattern macthing
                  url = url.toLowerCase();
                  host = host.toLowerCase();
                  
                  
                  1 Reply Last reply Reply Quote 0
                  • A
                    AR15USR
                    last edited by

                    @Nachtfalke:

                    This could help:

                    
                        if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
                            isInNet(dnsResolve(host), "172.16.0.0",  "255.240.0.0") ||
                            isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
                            isInNet(dnsResolve(host), "169.254.0.0", "255.255.0.0") ||
                            isInNet(dnsResolve(host), "240.0.0.0", "240.0.0.0") ||
                            isInNet(dnsResolve(host), "127.0.0.0", "255.0.0.0"))
                        {
                        return "DIRECT";
                        }
                    
                    

                    or

                    
                        if (shExpMatch(host, "*.local") ||
                    		shExpMatch(host, "*.localhost") ||
                    		shExpMatch(host, "127.0.0.1"))
                        {
                        return "DIRECT";
                        }
                    
                    

                    And I would always use this on top:

                    
                    // Normalize the URL for pattern macthing
                    url = url.toLowerCase();
                    host = host.toLowerCase();
                    
                    

                    Thanks Nachtfalke, this seems to have worked. I don't see it in my Squid logs anymore. I still see it in the firewall logs but its not being blocked now..


                    2.6.0-RELEASE

                    1 Reply Last reply Reply Quote 0
                    • A
                      AR15USR
                      last edited by

                      OK, so its been a couple months and this is still working great except for the firewall log entries. They are taking up about 50% of my log at this point.  Do you know how to stop the logging of it?

                      Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:64605	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:64605	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:44799	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:44799	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:11717	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:11717	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:4938	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:4938	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:27865	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:27865	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:15276	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:15276	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:61394	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:61394	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:63615	  127.0.0.1:53	UDP
                      Sep 2 05:45:03	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:63615	  127.0.0.1:53	UDP
                      Sep 2 05:45:02	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:58802	  127.0.0.1:53	UDP
                      Sep 2 05:45:02	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:58802	  127.0.0.1:53	UDP
                      Sep 2 05:45:02	lo0	pass IPv4 loopback (1000004761)	  127.0.0.1:1871	  127.0.0.1:53	UDP
                      Sep 2 05:45:02	► lo0	let out anything IPv4 from firewall host itself (1000004765)	  127.0.0.1:1871	  127.0.0.1:53	UDP
                      

                      2.6.0-RELEASE

                      1 Reply Last reply Reply Quote 0
                      • N
                        Nachtfalke
                        last edited by

                        Status –> System Logs --> Settings
                        Dsiable "Log packets matched from the default pass rules put in the ruleset"

                        OR

                        Create a specific Firewall rule with destination "127.0.0.1" , action=allow and port=any and source=any and siable logging.
                        So traffic will match this specific rule and will be allowed but not logged.

                        1 Reply Last reply Reply Quote 0
                        • A
                          AR15USR
                          last edited by

                          @Nachtfalke:

                          Status –> System Logs --> Settings
                          Dsiable "Log packets matched from the default pass rules put in the ruleset"

                          OR

                          Create a specific Firewall rule with destination "127.0.0.1" , action=allow and port=any and source=any and siable logging.
                          So traffic will match this specific rule and will be allowed but not logged.

                          Well, your first suggestion stops all pass logging it seems. The second suggestion didn't work. I'm guessing since the traffic is on the lo0 interface?


                          2.6.0-RELEASE

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.