Bypass transparent proxy selective - RESOLVED

  • i want setup transparent proxy to all clients … this is really easy on squid package.... but here in Brazil some S#1t banks are using proprietary protocols on port 80 ... then i need do an rule to bypass squid transparent proxy when destination is to that sites ... anybody knows haow can o do this ?

  • Have you tried the 'do not cache' feature.  That might help but I believe the traffic will still flow through Squid on port 80, thereby getting dropped since it isn't HTTP…worth a try.

  • yeap … i tried "do not cache"  with no success...

    i think what the way is ...

    catch all traffic to port 80, except to that sites, and redirect to squid.
    traffic to that sites must pass directly..
    but i can't see the way to do this in interface.
    helps are welcome

  • success … i did an simple hacking on and now some sites are not catched by transparent proxy

    this is the hacking ...
    i changed the line
    $rules .= "rdr on $iface proto tcp from any to ! ($iface) port 80 -> port 80\n";
    to this
    $rules .= "rdr on $iface proto tcp from any to ! <mydirectsites> port 80 -> port 80\n";

    where mydirectsites is an aliases creates on gui and must contains the lan internal address and ip addresses of sites to not pass on squid …. in this mode i create an rule to permit traffic to port 80 of sites on mydirectsites

  • Hi, i tried your hack on my 1.2 release platform.

    It does not work if I try to use an alias  ???

    i can make this work if i specify the IP address instead of $iface, but not with alias…

    any idea? is the <alias>expression right?



  • ok ..

    i will try in single steps

    1-  in the pfsense GUI  goto Firewall -> Aliases  and create an alias with name DirectSites , take a look on cases, and insert the LAN address in the networks list with the format
    2- drop to the pfsense console menu option 8, and go to /usr/local/pkg
    3- edit file  and search for the line
    $rules .= "rdr on $iface proto tcp from any to ! ($iface) port 80 -> port 80\n";
    to this
    $rules .= "rdr on $iface proto tcp from any to ! <directsites>port 80 -> port 80\n";
    5- in pfsense GUI create a rule to permit traffic from LAN Subnet to alias DirectSites on port 80/443
    6 - hit Save button on proxy server menu</directsites>

  • For some  reason, it does not work for me …..
    I've followed your steps and squid + squidGuard still intercept the traffic ..... very frustrating ..
    I even tried to add "always_direct" option but still have not been able to bypass squid + squidguard altogether.

    any suggestion will help


  • I have the need of a feature quite like this on. In need squid to not catch traffic from all ip´s in my lan to some sites. As I have understood your hack, you take traffic from some internal ip´s to some external sites? Correct?

    So, do you have any tips on how to make some sites to not go throught the proxy for some destination sites?

  • The new version of the squid package has a 'Do Not Proxy' field where you can enter local client IPs that should bypass the proxy altogether.  That is not the focus of this post.  The method mentioned above allows traffic TO certain DESTINATION sties to bypass the proxy, not FROM certain clients.

  • Yea, but that is exactly what I want. To let traffic from all ip´s TO some sites bypass the proxy! And, the hack did not seem to do it. Since i would like to use something like this

    catch everything but
        if destinatio is "" then bypass the proxy

  • Also note that Squid bypass firewall rules:
            case 'filter':
                    foreach ($ifaces as $iface){
                            $rules .= "# Setup squid pass rules for proxy\n";
                            $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
                            $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n";
                            $rules .= "\n";

  • It really would be supersimple to just have a list in the GUI for adresses not to be forwarded through the proxy when running transparent.

    Catch everything but the sites in the list. =)

  • I to managed to get the proxy-bypass working with this hack. Thanks for the tip! However, it would be VERY nice to have a GUI-option that does the same thing in a "legit" way. I guess this hack will break when i upgrade squid etc..

  • squid.conf is rebuilt from on each boot.  If you make your changes to, everything should "stick".

Log in to reply