Bypass transparent proxy selective - RESOLVED

dhipo · Sep 14, 2007, 4:13 PM

i want setup transparent proxy to all clients … this is really easy on squid package.... but here in Brazil some S#1t banks are using proprietary protocols on port 80 ... then i need do an rule to bypass squid transparent proxy when destination is to that sites ... anybody knows haow can o do this ?

mhab12 · Sep 17, 2007, 5:38 AM

Have you tried the 'do not cache' feature. That might help but I believe the traffic will still flow through Squid on port 80, thereby getting dropped since it isn't HTTP…worth a try.

dhipo · Sep 18, 2007, 1:07 PM

yeap … i tried "do not cache" with no success...

i think what the way is ...

catch all traffic to port 80, except to that sites, and redirect to squid.
traffic to that sites must pass directly..
but i can't see the way to do this in interface.
helps are welcome

dhipo · Sep 21, 2007, 12:37 AM

success … i did an simple hacking on squid.inc and now some sites are not catched by transparent proxy

this is the hacking ...
i changed the line
$rules .= "rdr on $iface proto tcp from any to ! ($iface) port 80 -> 127.0.0.1 port 80\n";
to this
$rules .= "rdr on $iface proto tcp from any to ! <mydirectsites> port 80 -> 127.0.0.1 port 80\n";

where mydirectsites is an aliases creates on gui and must contains the lan internal address and ip addresses of sites to not pass on squid …. in this mode i create an rule to permit traffic to port 80 of sites on mydirectsites

Speck · Nov 21, 2008, 11:54 PM

Hi, i tried your hack on my 1.2 release platform.

It does not work if I try to use an alias ???

i can make this work if i specify the IP address instead of $iface, but not with alias…

any idea? is the <alias>expression right?

Thanks,

bye
Speck</alias>

dhipo · Jan 2, 2009, 12:20 AM

ok ..

i will try in single steps

1- in the pfsense GUI goto Firewall -> Aliases and create an alias with name DirectSites , take a look on cases, and insert the LAN address in the networks list with the format 192.168.1.1/32
2- drop to the pfsense console menu option 8, and go to /usr/local/pkg
3- edit file squid.inc and search for the line
$rules .= "rdr on $iface proto tcp from any to ! ($iface) port 80 -> 127.0.0.1 port 80\n";
to this
$rules .= "rdr on $iface proto tcp from any to ! <directsites>port 80 -> 127.0.0.1 port 80\n";
save
5- in pfsense GUI create a rule to permit traffic from LAN Subnet to alias DirectSites on port 80/443
6 - hit Save button on proxy server menu</directsites>

pfman · Jan 5, 2009, 11:53 PM

For some reason, it does not work for me …..
I've followed your steps and squid + squidGuard still intercept the traffic ..... very frustrating ..
I even tried to add "always_direct" option but still have not been able to bypass squid + squidguard altogether.

any suggestion will help

T

lordarcane · Jan 30, 2009, 1:56 PM

I have the need of a feature quite like this on. In need squid to not catch traffic from all ip´s in my lan to some sites. As I have understood your hack, you take traffic from some internal ip´s to some external sites? Correct?

So, do you have any tips on how to make some sites to not go throught the proxy for some destination sites?

mhab12 · Jan 30, 2009, 6:27 PM

The new version of the squid package has a 'Do Not Proxy' field where you can enter local client IPs that should bypass the proxy altogether. That is not the focus of this post. The method mentioned above allows traffic TO certain DESTINATION sties to bypass the proxy, not FROM certain clients.

lordarcane · Feb 10, 2009, 11:01 AM

Yea, but that is exactly what I want. To let traffic from all ip´s TO some sites bypass the proxy! And, the hack did not seem to do it. Since i would like to use something like this

catch everything but
if destinatio is "www.google.se" then bypass the proxy

itsmorefun · Mar 1, 2009, 11:32 AM

Also note that Squid bypass firewall rules:
case 'filter':
foreach ($ifaces as $iface){
$rules .= "# Setup squid pass rules for proxy\n";
$rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
$rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";
$rules .= "\n";
};

http://forum.pfsense.org/index.php/topic,14607.msg77308.html#msg77308

lordarcane · Mar 2, 2009, 9:57 AM

It really would be supersimple to just have a list in the GUI for adresses not to be forwarded through the proxy when running transparent.

Catch everything but the sites in the list. =)

sussox · Mar 25, 2009, 1:13 PM

I to managed to get the proxy-bypass working with this hack. Thanks for the tip! However, it would be VERY nice to have a GUI-option that does the same thing in a "legit" way. I guess this hack will break when i upgrade squid etc..

mhab12 · Mar 25, 2009, 4:48 PM

squid.conf is rebuilt from squid.inc on each boot. If you make your changes to squid.inc, everything should "stick".