4. squid working, but how to bypass

squid working, but how to bypass

  • G

    I have caching working in MITM mode not transparent with the below custom config / pac.

    my problem is, dropbox, email, etc on the clients are being blocked by the proxy.
    this was not happening in transparent mode, but the pac has default to return DIRECT.
    Also with transparent i used an alias proxybypass

    acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl nobumpSites ssl::server_name -i "/var/squid/acl/whitelist.acl"
ssl_bump peek step1
ssl_bump splice step2 noBumpSites
ssl_bump bump all

    using the following proxy.pac file

    function FindProxyForURL(url, host) {
 
//If the hostname matches, send direct.
	if (dnsDomainIs(host, "local.lan") ||
        shExpMatch(host, "(*.local.lan|local.lan)"))
   	return "DIRECT";
 // If the protocol or URL matches, send direct.
	else if (url.substring(0, 4)=="ftp:" )
   	return "DIRECT";
 
// If the requested website is hosted within the internal network, send direct.
    else if (isPlainHostName(host) ||
        shExpMatch(host, "*.local.lan") ||
        isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
        isInNet(dnsResolve(host), "192.168.0.0",  "255.255.255.0") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
        return "DIRECT";
 
// If the IP address of the local machine is within a defined
// subnet, send to a specific proxy.
    else if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.0"))
        return "PROXY 192.168.0.1:3128";

	else if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
        return "PROXY 192.168.1.1:3128";
 
// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
    return "DIRECT";
}
    0
  • M

    Some applications do not work well with PAC file.

    Are you using authentication ?
    Based on your config, it seems that you are bumping everything, tried splice all?

    Based on the problems I had, I found this:

    Some apps can work with PAC file, others not.
    Some apps can work with proxy authentication, like Kerberos for an exemple, others not.

    So, sometimes you will see Access Denied in Squid, because the apps like Pokerstars for an example are not carrying credentials to the proxy.

    Here, I have a Squid proxy with SSO, using Kerberos.

    Some apps don't work if I set Direct at the PAC file, however, they do work when I set a bypass like this:

    before_auth:

    acl whitelist dstdomain .pokerstars.com .dropbox.com <---- This allow everything to pokerstars.com and dropbox.com to go through the proxy without authentication
    auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -k /usr/local/etc/squid/mykeytab.keytab
    auth_param negotiate children 100
    auth_param negotiate keep_alive on
    http_access allow whitelist <----- This allow whitelist before auth is required
    acl auth proxy_auth REQUIRED
    http_access deny !auth
    http_access allow auth

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy