Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Having a whitelist of domains which should bypass squid

    Scheduled Pinned Locked Moved
    Off-Topic & Non-Support Discussion
    2
    4
    6.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      steenbras
      last edited by

      Squid performs a DNS lookup on all requests, forcing them to the server identified in its DNS server. This makes it impossible to "spoof" the domain using a local hosts entry on the client. There are legitimate reasons for wanting to be able to do this, particularly in web development where you want to test production configuration on a test server by pointing your www.mydomain.com domain to the test server IP.

      I understand the concerns about cache poisoning, so I would want this whitelist not to be cached. But telling squid not to cache a domain still pushes it through the DNS lookup always referring the request to the production server IP. I also would like to this list to be controlled by an administrator, so am happy for it to be part of the squid configuration, or some sort of rule on the proxy itself.

      Can anyone help me try to set this up? I've tried a few things, and some suggestions that I received on the squid-users mailing list, but with no luck.

      Thanks

      1 Reply Last reply Reply Quote 0
      • R
        rocky
        last edited by

        I think the problem is only related to DNS, not squid (???)

        Have you ever tried to add some static entries in pfSense Gui / Services / DNS (forwarder) ?? These entries allow you to override the results of DNS lookup. And this helps you to have
            foobar.your-any-domain.com
        pointed to a local ip

        Good luck!

        1 Reply Last reply Reply Quote 0
        • S
          steenbras
          last edited by

          That's a nice suggestion, but not absolutely what I'm after. Here's a realistic scenario.

          Domain is www.foo.com. Live IP is 111.222.333.444

          The product manager views the site at the live IP. Developers want to be able to test on their own machines, so they configure hosts so that www.foo.com resolves to 127.0.0.1. When they're ready to move to integration testing they set their hosts file to read 111.222.333.555. A tester will be viewing a release candidate version of the site by setting their hosts file to 111.222.333.666. I'm sure you get the idea.

          So at any one time, we would potentially need to be able to resolve www.foo.com to any one of 4 different IPs, depending on the client making the request. Doing this on local hosts files is nice and easy; doing it as a DNS forward override is an all-or-nothing approach.

          So I'm back to my original question - can squid be configured to effectively remove itself from processing certain domains, or could I even set up some firewall rules to divert around squid?

          1 Reply Last reply Reply Quote 0
          • R
            rocky
            last edited by

            In reality squid allows you to do that. When using pfSense you may find some options in

            WebGUI / Services / Proxy server / Access control / Whitelist

            The domains from the whilelist will be accessable to the users that are allowed to use the proxy.  (though they may still be block by squidGuard).

            I don't know if it solves your problem. At least it's the anwser for you topic's title.

            So at any one time, we would potentially need to be able to resolve www.foo.com to any one of 4 different IPs, depending on the client making the request. Doing this on local hosts files is nice and easy; doing it as a DNS forward override is an all-or-nothing approach.

            I currenlty have no idea for this!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post