Netflix iOS app via Squid not working



  • Hi.  I am running pfSense 2.1.5, squid3-dev 3.3.10 pkg 2.2.8, and squidGuard-squid3 1.4_4 pkg v.1.9.12.
    I have successfully been able to setup squid with SSL bump and squidGuard blacklists and squidclamav.  I turned of ipaddr filtering in squidGuard to fix Netflix on PCs and have other dstdomain bypasses for update services (MS & apple) - all working good.  I am NOT using transparent proxy - but using WPAD based auto-proxy configuration for clients (my home).  The only thing that seems to not be working for me is the NetFlix app on my apple devices.  I found a (unrelated to pfSense) comment (for Sophos WebProxy) that mentioned that the iOS app uses byte-range requests that are not forwarded to the external server and that (for Sophos) adding a bypass for the useragent of "AppleCoreMedia" would resolve the issue (for Sophos).  I tested my config without clamav and without SSL bump and without squidGuard (in other words - just plain 'ol squid) and was still not able to get the iOS app to work.  Can anyone point me in the right direction to have any traffic from the aforementioned User-Agent bypass all squid processes (just pass everything thru squid un-proxied and untouched by squidclamav or squidGuard) - or - any other suggestion?

    Thanks and willing to provide any further information needed to help me solve my issue.



  • Hi

    I have been trying to fix this issue with IOS devices and to no avail. i have found this list of pass though required however itunes are still blocked

    .phobos.apple.com
    a1.phobos.apple.com
    deimos3.apple.com
    albert.apple.com
    gs.apple.com
    itunes.apple.com
    ax.itunes.apple.com 
    evintl-ocsp.verisign.com
    evsecure-ocsp.verisign.com
    .apple.com
    verisign.com
    my.itunes.apple.com
    ax.init.itunes.apple.com
    ax.phobos.apple.com.edgesuite.net
    metrics.apple.com
    .woopra.com
    c12850432.mgr.gcsp.cddbp.net
    .mzstatic.com

    even with variants of ACL and whitelisting the devices are still blocked

    see this  https://forum.pfsense.org/index.php?topic=90908.msg511685#msg511685

    this maybe be a similar issue



  • No one got any idea?  This is the only thing holding me up from having an ideal setup… ;)



  • Not hard.  Set your Apple thingy to not use the proxy.  Add a firewall rule on LAN that specifically allows the IP address of your Apple thingy to access ports 80/443 which you naturally have blocked off for all other users to force proxy usage.



  • @KOM/others:  Well the whole idea is that the Apple thingys are my kids that I don't want bypassing the proxy for other apps (ie Safari) I want to just bypass for the Netflix by any means possible - but keep it for everything else.  I'm blocking PORN, HATE, DRUGs, etc. just so that they don't stumble on them by accident.


  • Banned

    @cejennings:

    I'm blocking PORN, HATE, DRUGs, etc. just so that they don't stumble on them by accident.



  • @cejennings:

    No one got any idea?  This is the only thing holding me up from having an ideal setup… ;)

    Bump

    Make any headway on this issue?

    I don't run squidguard as all the kids are long gone (and probably making their own porn..).  But, seeing a similar issue on ios9 devices.  In my case Netflix app will start and run new items but will absolutely not restart previously watched but not finished movies.    I keep an old plastic box router with dd-wrt in my data closet and all works well on that.  I have a backup pfsense box (same hardware, same base load, no packages) and all works well on that.  So, it's something in squid3, pfblockerng or snort clobbering restarts.  I used the HE lists to bypass all known Netflix IDs but still no joy.  I'm not seeing anything in the logs (that I've looked at) and my thinking is if it were pfblockerng or snort I wouldn't get any activity so I've been toying mostly with squid3.

    Oh, and all was well before  ios9

    Rick



  • Try finding out what server address the app is trying to connect to and using something like Wireshark bypass that blocked server.



  • I'm not using any apple devices, but the last few days Netflix has been giving problems with video streaming via squid, that I managed to find a workaround, so throwing this out if it helps anyone.

    I'm using pfSense 2.2.5 beta & Squid3 in transparent mode, routed over a VPN service.

    Problems with netflix for the last few days has been videos will take a very long time to start if they are not started from the beginning.  Everything seems to indicate that the way Netflix is retrieving the video portions is causing squid to do a full download of content.  I noted that whenever I start a Netflix video, the traffic on the VPN/WAN goes ballistic, well beyond what the player device is consuming to play the video.  All apparent symptoms of download amplification occurring.  Which seeing the original post to this thread about the use of byte-ranges not being forwarded made a lot of sense in that if the app requests a portion of a file, but instead squid decides it can't satisfy the range request and attempts to download the whole file. And each portion the app requests to play the next sequence of video get's translated to another download.

    Clearly at this point squid is the issue, but setting up a bypass needs something that would cover all endpoints without a huge list of IP's, such as a cidr range.

    So, finally, going through my logs to see if anything was getting blocked in the firewall, I noticed the IP's for the netflix content distribution network, and doing a "whois" on the IP got me the address range for Netflix video distribution network that I'm hitting.  Then putting this CIDR range in the proxy bypass destination for transparent proxy I am now able to watch netflix without the startup and buffering problems.  Though they still seem to still be having other intermittent connectivity issues.

    So here are a couple of suggestions for those looking to find the IP range to bypass for Netflix.

    In "System Log -> Settings" enable logging of passed packets.

    Then while trying to access Netflix, us the system log -> Firewall log, check the IP addresses being connected to, do a reverse lookup on them, and look for any that look like "ipv4_1.lagg0.c035.sjc002.ix.nflxvideo.net". Then take that IP address and use a "whois" tool or website to lookup the address sub-net information.  In that info should be a CIDR range for the address range.  Then you should be able to use that range as a CIDR bypass for squid or whatever service you need to bypass for Netflix streaming.

    Cheers.

    Update:  Some more digging I found that Squid3, was modified in 2014 to ignore unknown byte ranges due to a security vulnerability.  The modification was to ignore these headers which would result in the behaviour described above if an "unknown" byte range were being used.

    http://www.cvedetails.com/cve/CVE-2014-3609/

    http://squidcache.cybermirror.org/squid/squid-3.4.7.patch

    +Changes to squid-3.3.13 (28 Aug 2014):

      • Fix segmentation fault setting up server SSL connnection
      • HTTP/1.1: Ignore Range headers with unidentifiable byte-range values


  • @TechyTech:

    I'm not using any apple devices,

    Clearly at this point squid is the issue, but setting up a bypass needs something that would cover all endpoints without a huge list of IP's, such as a cidr range.

    Thanks!, yep that's pretty much the process I took using the lists from "Hollywood" to setup a bypass…  worked wonders for the Dish box, Smart TVs and Roku.  But an iPad was still choking.  For now I just use DHCP to assign it a static address and bypass it's new address and all is well.

    Rick



  • I just stumbled across this thread looking for another solution. I decided to post my findings in case someone else came across this.

    I was having trouble with Netflix not working on PS3/PS4, tablets, etc. NeFlix would start up but fail to load a movie after about 20%.

    As it turns out, when Netflix loads and streams video the apps connect back to their servers via IP rather than using an FQDN. i.e. http://xxx.xxx.xxx.xxx/range/350…

    My problem was I had Do not allow IP-Addresses in URL ticked in the ACL.

    My solution was to set squid to bypass proxy for all gaming devices. Recently i wanted to watch Netflix on my tablet. Rather than bypass the proxy for that device, I checked the logs to discover the IP Netflix was attempting to and added that IP in the Bypass for this destination option.

    Obviously, the latter solution is not ideal, but for today, it works.



  • Does anyone have Squid working with Netflix?  I just tried setting up Squid (not SquidGuard) as a transparent proxy for HTTP traffic only.  However, I noticed Netflix now doesn't work on the devices on the subnet using Squid.



  • I have it running. I am not at home to list the settings, but basically I found the CIDR range of Netflix servers and input that in the "bypass proxy for these destinations". I am using WPAD, not using MITM but will institute that soon. This is on a home network btw. If you want, later tonight I can post up the IP range I am using.

    This might not be the best way to do it, I'd be interested in hearing any expert's opinions on this.



  • I'd be interested to try it.  It seems like a less-than-ideal workaround, but I'll be curious to see if that gets it working.  Thanks!



  • OK, here are the two ranges I use in the 'Bypass proxy for these destinations':
    23.246.0.0/18
    108.175.32.0/20

    As I understand it Netflix uses different servers depending on where you live, so you will need to list the servers your Netflix is trying to use. I watched the logs for the IP when it got blocked. I looked these up on tcpiputils.com to find the IP Range, then entered this range into the Squid field.

    edit: This feature is under the 'Transparent Proxy' and it says it only works for the Transparent Mode which I use in addition to using WPAD. If you are not using this then looks like it wont work, you could try the ACL tab maybe.