Search squid archive

How to bypass Squid proxy in intercept mode using acl/always_direct

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I am using Squid 3.5.20 in intercept mode for HTTP and HTTPS traffic with my OpenBSD 6.0 firewall. For some internal servers located on two different subdomains I would like to access these directly and as such bypass the Squid proxy. Is this possible to achieve that using the an acl and always_direct parameters of Squid? I tried it out but checking the squid access.log file I still see the accesses going through the proxy. You will find below my squid.conf file, you will find the acl/always_direct in the last 3 lines of my config.

Thanks for your help.

Regards,
Mabi

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost
http_access deny all

coredump_dir /var/squid/cache

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

url_rewrite_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf
url_rewrite_children 19 startup=15 idle=10 concurrency=0

http_port 127.0.0.1:3129 intercept

cache_mem 1024 MB
maximum_object_size_in_memory 8 MB
cache_dir ufs /var/squid/cache 800 16 64
minimum_object_size 3 KB
maximum_object_size 6 MB
 
ipcache_size 10240
fqdncache_size 10240
max_filedescriptors 4096

https_port 127.0.0.1:3130 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/etc/squid/proxy-ca.pem key=/etc/squid/proxy-ca.pem
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump all
sslproxy_cipher EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
sslcrtd_program /usr/local/libexec/squid/ssl_crtd -s /var/squid/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1

acl local-servers dstdomain .internal.domain.net
acl local-servers dstdomain .dmz.domain.net
always_direct allow local-servers




_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux