Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    squid working, but how to bypass

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 2 Posters 831 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4
      4o4rh
      last edited by

      I have caching working in MITM mode not transparent with the below custom config / pac.

      my problem is, dropbox, email, etc on the clients are being blocked by the proxy.
      this was not happening in transparent mode, but the pac has default to return DIRECT.
      Also with transparent i used an alias proxybypass

      acl step1 at_step SslBump1
acl step2 at_step SslBump2
acl nobumpSites ssl::server_name -i "/var/squid/acl/whitelist.acl"
ssl_bump peek step1
ssl_bump splice step2 noBumpSites
ssl_bump bump all

      using the following proxy.pac file

      function FindProxyForURL(url, host) {
 
//If the hostname matches, send direct.
	if (dnsDomainIs(host, "local.lan") ||
        shExpMatch(host, "(*.local.lan|local.lan)"))
   	return "DIRECT";
 // If the protocol or URL matches, send direct.
	else if (url.substring(0, 4)=="ftp:" )
   	return "DIRECT";
 
// If the requested website is hosted within the internal network, send direct.
    else if (isPlainHostName(host) ||
        shExpMatch(host, "*.local.lan") ||
        isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
        isInNet(dnsResolve(host), "192.168.0.0",  "255.255.255.0") ||
        isInNet(dnsResolve(host), "192.168.1.0",  "255.255.255.0") ||
        isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
        return "DIRECT";
 
// If the IP address of the local machine is within a defined
// subnet, send to a specific proxy.
    else if (isInNet(myIpAddress(), "192.168.0.0", "255.255.255.0"))
        return "PROXY 192.168.0.1:3128";

	else if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0"))
        return "PROXY 192.168.1.1:3128";
 
// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
    return "DIRECT";
}
      1 Reply Last reply Reply Quote 0
      • M
        mcury
        last edited by

        Some applications do not work well with PAC file.

        Are you using authentication ?
        Based on your config, it seems that you are bumping everything, tried splice all?

        Based on the problems I had, I found this:

        Some apps can work with PAC file, others not.
        Some apps can work with proxy authentication, like Kerberos for an exemple, others not.

        So, sometimes you will see Access Denied in Squid, because the apps like Pokerstars for an example are not carrying credentials to the proxy.

        Here, I have a Squid proxy with SSO, using Kerberos.

        Some apps don't work if I set Direct at the PAC file, however, they do work when I set a bypass like this:

        before_auth:

        acl whitelist dstdomain .pokerstars.com .dropbox.com <---- This allow everything to pokerstars.com and dropbox.com to go through the proxy without authentication
        auth_param negotiate program /usr/local/libexec/squid/negotiate_kerberos_auth -k /usr/local/etc/squid/mykeytab.keytab
        auth_param negotiate children 100
        auth_param negotiate keep_alive on
        http_access allow whitelist <----- This allow whitelist before auth is required
        acl auth proxy_auth REQUIRED
        http_access deny !auth
        http_access allow auth

        dead on arrival, nowhere to be found.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.