Squid 3.1 transparent proxy omits HTTP exceptions (PEBKAC?)



  • G'day

    This is a 2.1-BETA1 (yeah, not yet had the time to reboot) with Squid 3.1 in semi-prod that I configured to listen on OPT4 in transparent mode. While I'm still playing with the squid Proxy, I realize that by using the transparent Proxy some of my HTTP rules are actually omitted or ignored.

    Currently I have a rule on the Interface of the students that says "HTTP is allowed to any - except some IP-Ranges" that are internal stuff like the Laserjet's Network Cards which I'd now want students to gain access through the Firewall :-)

    As soo as I disable squid on the Interface of the students, the rule gets applied, otherwise everything goes through the squid proxy and I can't really decide on the Firewall/pf level how to disallow this.

    Is there a good way to have either squid / squidguard or (preferred) pf have control over http rules when using?
    (should I go with squid 3.3 although it's not yet a stable package?)

    – Mat



  • @MatSim:

    Is there a good way to have either squid / squidguard or (preferred) pf have control over http rules when using?
    (should I go with squid 3.3 although it's not yet a stable package?)

    while using transparent proxy, all you need is to configure allowed(whitelisted) ips and blocked(blacklisted) ips on squid acls.

    squid 3.3 is a good choice as it has ssl filtering and squid 3.1 is deprecated.

    Test it on labs first as it still needs some manual libs fetch and version change to get latest 3.3.5.

    follow squid 3.3.4 thread to apply all manual fixes.



  • MatSim,

    you coul have a look at the "bypass proxy" options on squid. In my environment I bypass proxy for all internal communication.
    If you bypass the proxy for some source/destination IPs then the pfsense firewall rules need to do the job for port 80 (http).

    If you do not bypass the proxy for that traffic then you must configure ACLs on squid which allow/deny that traffic on port 80 (http).