"Bypass Proxy for These Destination IPs" breaking transparent proxy



  • Squid was trying to cache my steam downloads and caused extreme memory pressure. Tried to have squid to bypass steamcontents.com.However found out that enter a hostname in "Bypass Proxy for These Destination IPs" breaks the proxy completely instead of bypass certain destinations.
    pfctl -vvs nat shows that all intercept rules are gone. relevant logs:

    Oct 18 22:00:53	php-fpm	54025	/rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was 'no IP address found for steamcontent.com /tmp/rules.test.packages:66: could not parse host specification no IP address found for steamcontent.com /tmp/rules.test.packages:67: could not parse host specification no IP address found for steamcontent.com /tmp/rules.test.packages:68: could not parse host specification'
    Oct 18 22:00:53	php-fpm	54025	/rc.filter_configure_sync: There was an error while parsing the package filter rules for /usr/local/pkg/squid.inc.
    

    Is this a bug or something?


  • Netgate Administrator

    It could be considered a bug.
    You entered something unresolvable in a field that can only take IPs or things that can resolve to IPs. I might have expected it to generate an error and be discarded but the safer thing to do is stop all traffic until the user resolves the error.
    You can open a bug report here and our developers will look at it: https://redmine.pfsense.org
    What you really need to do there is create an alias with a list of steam IPs to use. However that will be big and changing list.

    Steve



  • @stephenw10
    Yeah now I think about it it's a firewall trick that works when pfsense redirect HTTP to squid. It's based on IP instead of domains.

    Is there anyway to bypass squid for certain domains? The only way I can think of is to setup host override at Unbound and point it to another squid instance, but this sounds cumbersome.



  • I'm using 2.4.3-RELEASE-p1 on an SG-2220, and in my Squid settings, under Local Cache, I've got a box for "Do Not Cache". Inside here I can enter both domains and IP addresses. Is this not where you should enter the steamcontents.com domain?

    Jeff


  • Netgate Administrator

    Not caching is not the same as not proxying though. I wouldn't expect that to make any difference here.

    Steve



  • @stephenw10 said in "Bypass Proxy for These Destination IPs" breaking transparent proxy:

    Not caching is not the same as not proxying though.

    Steve

    Ok, I agree. However, the OP did say BOTH cache and proxy in his/her first post. So, I went with cache.

    @Ender117 - Is this only 1 machine that you are using for Steam downloads? It might be possible to add the IP address (you have to use a static IP address in this case) for this Steam machine in the "Bypass Proxy for These Source IPs" box. I think that's how that function works.That should, however, bypass the proxy entirely for that single machine. Seems a little extreme...

    Jeff


  • Netgate Administrator

    Mmm, good point that should speed things things up if it's not cached.
    In fact you should check your cache settings if it's caching huge steam files. By default it won't cache very large files like that. And there is little point to doing it in most situations.

    Steve



  • @stephenw10
    Well I set the max cache size to 4M and it is still trying to cache them. Guess it was divided into small chunks at server side so.....

    I agree that squid is not very useful nowadays, my hit rate is ~2% reported by lightsquid. But I do sometimes visit some high latency sites and squid did helped a bit in these cases.



  • @akuma1x
    Thanks for the help
    Bypass squid for the client is not an option. It's also my workstation not dedicated steam box.😕
    I used the do not cache option and it worked for me. Only trick was to enter ".steamcontent.com" instead of "steamcontent.com", the little dot catches all subdomains.
    I also had to manually edit the squidav conf to bypass antivirus for steam, otherwise it will still use quite a bit memory and lots of CPU.

    abort \.steamcontent\.com
    

    As you can see if squid can be bypassed totally for certain domains then things can be a little easier. Or if the squidav GUI is more versatile...