Need to Allow certain sites through proxy [Solved]

Equiping · Nov 12, 2009, 7:46 AM

Prelim
Oh man I feel woefully inadequate in this area and I apologise ahead of time for my inane questions. I have ordered the new pfSense book but that's not due to arrive till the end of December, I have trawled Google, this site and the pfSense main site and doc site for answers but I just can't find what I need so I've come here.

I am administering our site, a contractor installed pfSense for us, and when I have asked him questions about our set-up I have gotten the distinct impression he did not really understand the system and certainly could not tell me how to achieve what I want to achieve.

What I think I've worked out
As far as I can tell our system is set up with pfSense as a peripheral firewall with squid proxy enabled. It is not a transparent proxy, our proxy port is 3128.

I think I have worked out that basically any client request for a website is first evaluated by the squid proxy then passed on to the firewall for evaluation hence:

LAN Client –-> Squid Proxy = authorised user/password? OK --> Firewall = Not blocked site? --> WAN

My problem
I want to allow Ubuntu machines on our site to have unfettered access for updating and upgrading - ie they wont need to authenticate against the proxy to do updates and upgrades. I have entered IP ranges for the Ubuntu update sites in our firewall but I just don't have a clue about where to set these in the proxy.
At the moment in /var/squid/log/access.log when an Ubuntu user tries to update or upgrade I get entries like:
1258010920.301 1 192.168.5.118 TCP_DENIED/407 1927 GET http://au.archive.ubuntu.com/ubuntu/dists/karmic-security/multiverse/binary-amd64/Packages.gz - NONE/- text/html

Now, as far as I can tell this is a block from the proxy not the firewall.

My question
What I would like to do is allow all requests to *.ubuntu.com free access not having to authenticate against the proxy - where do I set this and how please.

TIA
Karl

Perry · Nov 12, 2009, 8:56 AM

Might help
http://wiki.squid-cache.org/SquidFaq/WindowsUpdate#How_do_I_stop_Squid_popping_up_the_Authentication_box_for_Windows_Update.3F

Equiping · Nov 12, 2009, 9:44 AM

Perry thanks for that. Do you know if it's possible to have the rule stating all sub domains of the main domain? what I mean is *.ubuntu.com rather than having to define all the possible sub domains such as au.archive.ubuntu.com, archive.ubuntu.com, changlog.ubuntu.com etc etc etc.

Also, one of the benefits of pfSense is its ability to be controlled through the web GUI rather than modifying config files, so is there a way of achieving this through the GUI?

I tried adding ubuntu.com and au.archive.ubuntu.com in "Proxy filter SquidGuard: Destinations" but I'm still being blocked with 407.

Perry · Nov 12, 2009, 9:46 AM

The list shows

acl windowsupdate dstdomain .update.microsoft.com

so .ubuntu.com would be my guess.

Equiping · Nov 12, 2009, 10:51 AM

yes that was my guess too. But when, within the pfSense web GUI, I entered that into
"Proxy filter SquidGuard: Destinations" it comes back with

The following input errors were detected:

* DEST 'Ubuntu': Item '.ubuntu.com' is not a domain.

I'm a bit loath to edit squid.conf directly for fear of breaking our system but I can do it as an experiment and restore a backed up copy I guess. So after editing squid.conf would the changes take place immediately or do I need to restart something? Similaly, after making changes in "Proxy filter SquidGuard: Destinations" should they be reflected immediately or does something need to be applied or restarted? There's no "Apply" button like in the Firewall section.

mhab12 · Nov 12, 2009, 3:54 PM

It's way easier than you're thinking, just put

ubuntu.com

in the whitelist under Proxy Server/Access Control and you'll be all set. I can't comment on the integration between Squid Guard and Squid, but I would think this would override anything in Squid Guard that is blocking the domain. Listing a domain in the white list without a leading period allows ALL sub-domains, if you only want to allow certain sub-domains, lead the entry with them….i.e.

allowedsubdomain.ubuntu.com

In Squid ACLs, a period is a wild card but it is not necessary when listing domains. If you want to block sub-domains, you'll have to list those out in the blacklist.

Equiping · Nov 13, 2009, 12:07 AM

mhab12 thanks for that, it was the key I was looking for.