Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid 3.1 transparent proxy omits HTTP exceptions (PEBKAC?)

    Scheduled Pinned Locked Moved pfSense Packages
    3 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      msi
      last edited by

      G'day

      This is a 2.1-BETA1 (yeah, not yet had the time to reboot) with Squid 3.1 in semi-prod that I configured to listen on OPT4 in transparent mode. While I'm still playing with the squid Proxy, I realize that by using the transparent Proxy some of my HTTP rules are actually omitted or ignored.

      Currently I have a rule on the Interface of the students that says "HTTP is allowed to any - except some IP-Ranges" that are internal stuff like the Laserjet's Network Cards which I'd now want students to gain access through the Firewall :-)

      As soo as I disable squid on the Interface of the students, the rule gets applied, otherwise everything goes through the squid proxy and I can't really decide on the Firewall/pf level how to disallow this.

      Is there a good way to have either squid / squidguard or (preferred) pf have control over http rules when using?
      (should I go with squid 3.3 although it's not yet a stable package?)

      – Mat

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        @MatSim:

        Is there a good way to have either squid / squidguard or (preferred) pf have control over http rules when using?
        (should I go with squid 3.3 although it's not yet a stable package?)

        while using transparent proxy, all you need is to configure allowed(whitelisted) ips and blocked(blacklisted) ips on squid acls.

        squid 3.3 is a good choice as it has ssl filtering and squid 3.1 is deprecated.

        Test it on labs first as it still needs some manual libs fetch and version change to get latest 3.3.5.

        follow squid 3.3.4 thread to apply all manual fixes.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          MatSim,

          you coul have a look at the "bypass proxy" options on squid. In my environment I bypass proxy for all internal communication.
          If you bypass the proxy for some source/destination IPs then the pfsense firewall rules need to do the job for port 80 (http).

          If you do not bypass the proxy for that traffic then you must configure ACLs on squid which allow/deny that traffic on port 80 (http).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.