Squid3-dev 3.3.10 pkg 2.2.8 Can't get it to bypass for certain sites
-
On PFSense 2.1.5 and squid3-dev 3.3.10 pkg 2.2.8. I have SSL in the middle and LDAP authentication working great. My problem is that I would like to have certain sites go direct bypassing the proxy altogether. I put sites in the ACL Whitelist and it also has it in the squid.conf to not SSLBump the whitelist. It seems all it is doing is bypassing the authentication for that site.
Here is my squid.conf file, am I missing something to get sites in the whitelist to go direct:# This file is automatically generated by pfSense # Do not edit manually ! http_port 192.168.0.1:3128 ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=20MB cert=/usr/pbi/squid-amd64/etc/squid/serverkey.pem capath=/usr/pbi/squid-amd64/share/certs/ icp_port 0 dns_v4_first on pid_filename /var/run/squid.pid cache_effective_user proxy cache_effective_group proxy error_default_language en icon_directory /usr/pbi/squid-amd64/etc/squid/icons visible_hostname proxy.csla.local cache_mgr techsupport@cslewisacademy.com access_log /var/squid/logs/access.log cache_log /var/squid/logs/cache.log cache_store_log none netdb_filename /var/squid/logs/netdb.state pinger_enable on pinger_program /usr/pbi/squid-amd64/libexec/squid/pinger sslcrtd_program /usr/pbi/squid-amd64/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048 sslcrtd_children 10 sslproxy_capath /usr/pbi/squid-amd64/share/certs/ sslproxy_flags DONT_VERIFY_PEER sslproxy_cert_adapt setCommonName all logfile_rotate 7 debug_options rotate=7 shutdown_lifetime 3 seconds # Allow local network(s) on interface(s) acl localnet src 192.168.0.0/23 uri_whitespace strip acl dynamic urlpath_regex cgi-bin \? cache deny dynamic cache_mem 32 MB maximum_object_size_in_memory 32 KB memory_replacement_policy heap GDSF cache_replacement_policy heap LFUDA cache_dir ufs /var/squid/cache 128 8 256 minimum_object_size 0 KB maximum_object_size 40 KB offline_mode off cache_swap_low 85 cache_swap_high 90 cache allow all # No redirector configured #Remote proxies # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 3128 3127 1025-65535 acl sslports port 443 563 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object acl purge method PURGE acl connect method CONNECT # Define protocols used for redirects acl HTTP proto HTTP acl HTTPS proto HTTPS acl allowed_subnets src 192.168.0.0/23 acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl" acl whitelist dstdomain "/var/squid/acl/whitelist.acl" http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports # Always allow localhost connections # From 3.2 further configuration cleanups have been done to make things easier and safer. # The manager, localhost, and to_localhost ACL definitions are now built-in. # http_access allow localhost request_body_max_size 0 KB delay_pools 1 delay_class 1 2 delay_parameters 1 -1/-1 -1/-1 delay_initial_bucket_level 100 delay_access 1 allow allsrc # Reverse Proxy settings always_direct allow whitelist ssl_bump none whitelist # Custom options before auth icap_enable on icap_preview_enable on icap_preview_size 4096 icap_persistent_connections on icap_send_client_ip on icap_send_client_username on icap_client_username_header X-Client-Username icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod acl qlproxy_icap_edomains dstdomain "/opt/qlproxy/etc/squid/icap_exclusions_domains.conf" acl qlproxy_icap_etypes rep_mime_type "/opt/qlproxy/etc/squid/icap_exclusions_contenttypes.conf" adaptation_access qlproxy1 deny qlproxy_icap_edomains adaptation_access qlproxy2 deny qlproxy_icap_edomains adaptation_access qlproxy2 deny qlproxy_icap_etypes adaptation_access qlproxy1 allow all adaptation_access qlproxy2 allow all # These hosts do not have any restrictions http_access allow unrestricted_hosts # Always allow access to whitelist domains http_access allow whitelist auth_param basic program /usr/pbi/squid-amd64/libexec/squid/basic_ldap_auth -R -v 3 -b dc=csla,dc=local -D user@csla.local -w Password -f "(|(userPrincipalName=%s)(sAMAccountName=%s))" -u uid -h server.csla.local auth_param basic children 50 auth_param basic realm Please use your Windows Login for the Proxy. auth_param basic credentialsttl 5 minutes acl password proxy_auth REQUIRED # Custom options after auth always_direct allow all ssl_bump server-first all http_access allow unrestricted_hosts http_access allow password localnet http_access allow password allowed_subnets # Default block all to be sure http_access deny allsrc
I am really having issues with it still trying to connect to certain sites with new TLS v1.2 SSL certs. I have a desktop app that won't connect now but if I use the browser to connect to the same site it works. I am stuck on PFSense 2.1.5 because of the internet filter I am using for the school. Is this version of squid broken in some of the features?
Thanks for your help. I need to fix this asap so I can get our grading and enrollment app working again.Jim Ambrose