squid working, but how to bypass



  • I have caching working in MITM mode not transparent with the below custom config / pac.

    my problem is, dropbox, email, etc on the clients are being blocked by the proxy.
    this was not happening in transparent mode, but the pac has default to return DIRECT.
    Also with transparent i used an alias proxybypass

    acl step1 at_step SslBump1
    acl step2 at_step SslBump2
    acl nobumpSites ssl::server_name -i "/var/squid/acl/whitelist.acl"
    ssl_bump peek step1
    ssl_bump splice step2 noBumpSites
    ssl_bump bump all
    

    using the following proxy.pac file

    function FindProxyForURL(url, host) {
     
    //If the hostname matches, send direct.
    	if (dnsDomainIs(host, "local.lan") ||
            shExpMatch(host, "(*.local.lan|local.lan)"))
       	return "DIRECT";
     // If the protocol or URL matches, send direct.
    	else if (url.substring(0, 4)=="ftp:" )
       	return "DIRECT";
     
    // If the requested website is hosted within the internal network, send direct.
        else if (isPlainHostName(host) ||
            shExpMatch(host, "*.local.lan") ||
            isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
            isInNet(dnsResolve(host), "192.168.0.0",  "255.255.255.0") ||
            isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0") ||
            isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
            return "DIRECT";
     
    // If the IP address of the local machine is within a defined
    // subnet, send to a specific proxy.
        else if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.0"))
            return "PROXY 192.168.0.1:3128";
    
    	else if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
            return "PROXY 192.168.1.1:3128";
     
    // DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
        return "DIRECT";
    }
    


  • Some applications do not work well with PAC file.

    Are you using authentication ?
    Based on your config, it seems that you are bumping everything, tried splice all?

    Based on the problems I had, I found this:

    Some apps can work with PAC file, others not.
    Some apps can work with proxy authentication, like Kerberos for an exemple, others not.

    So, sometimes you will see Access Denied in Squid, because the apps like Pokerstars for an example are not carrying credentials to the proxy.

    Here, I have a Squid proxy with SSO, using Kerberos.

    Some apps don't work if I set Direct at the PAC file, however, they do work when I set a bypass like this:

    before_auth:

    acl whitelist dstdomain .pokerstars.com .dropbox.com <---- This allow everything to pokerstars.com and dropbox.com to go through the proxy without authentication
    auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -k /usr/local/etc/squid/mykeytab.keytab
    auth_param negotiate children 100
    auth_param negotiate keep_alive on
    http_access allow whitelist <----- This allow whitelist before auth is required
    acl auth proxy_auth REQUIRED
    http_access deny !auth
    http_access allow auth


Log in to reply