SQUID - How to not use the proxy for certain IPs / sites? -> Direct connection

  • Hello,

    we are using pfSense in the latest stable version plus the squid package. On the local PCs we are using Firefox with the squid caching proxy enabled for non-SSL plus SSL filtering (non-transparent mode) via man-in-the-middle-filtering. Everything works fine so far with caching via squid for SSL and non-SSL sites.

    We now need a possibility to exclude squid usage for establishing a direct connection for certain sites / IPs to the PC. In short we need to bypass the caching proxy for certain sites / IPs.
    The reason is that on the PC there is a USB smart card reader and a third party software component (authentification client software for a connection to a certain website).


    We have to go to a certain website like https://www.safeconnection.com. If we press on this site "Login" this site needs to communicate with the software component on the local PC (which connects on the other hand to the local attached smart card reader).
    If we visit the website now (with squid) we receive an error with a  "connection problem" between the website and the software component.
    I have to use another brwoser that is not connected via squid to get it work.

    So how can we bypass the proxy?

    I believe I have to use: Package->Proxy Server->General Settings->General->Advanced Features->Custom ACLS (Before Auth) to enter a custom ACL for always_direct: http://www.squid-cache.org/Doc/config/always_direct/

    But I am not able to figure out what I have to insert in this box??

    a) What exactly do I have to enter there?
    b) How do I find the needed sites/IPs/ports to exclude? (edit: should be visible in the "real time" menu of squid)

    Maybe someone is much more firm in this, help is highly appreciated ;D

  • If anyone else has this problem. The ACL always_direct just means no caching but the connection is established via squid proxy.

    The only solution I found is to bypass the proxy within the browser itself. There is a possibility to enter an exception for certain sites that  are excluded from the proxy. By the way, depending on the configuration of pfSense (e.g. if blocking all internet traffic except of squid) a firewall rule must be added to allow the certain IP to establish a connection to the certain site via a certain port.

    Maybe someone will find this helpful.

  • Why use MITM?  Wouldn't it be easier to deploy WPAD and add entries for the hostnames/addresses you want a direct connection on?

  • We have the same problem… we have installed a diladele webfilter on our pfsense using peek-n-splice for scanning ssl trafic. WPAD does not work with the iOS devices in our wlan. The clients have to install our CA-Cert if they want to use the wlan. The default browser on the mobile devices is using the crt and we can scan the traffic. But Apps like Facebook and Whatsapp does not use DNS - they use ips to connect to there services. If you enter these IPs into the "Bypass Proxy for These Destination IPs" field on the squid config page on the pfsense they will connect directly. But i think this is a bad solution to add all ips seperated by semikolon in this one line field... so i'm trying to add these direct to the squid conf... if you say the "alway_direct" acl does not work - there must be another ACL rule for this... anybody have an idea?