Hey Nicolas, If you are running a squid which doesn't have a mandatory rule of "Block first and then allow" or what in the security industry will be named "up-tight" then Yuri solution is the right path. But... as a rule of thumb, if you don't need to pass the traffic into the proxy software don’t and allow or block whatever you can on the OS firewall level. I wrote couple example bypass scripts: https://gist.github.com/elico/e0faadf0cc63942c5aaade808a87deef https://gist.github.com/elico/a54c2c8f8e1a2407b42210896b960f4b For a non router\proxy linux system: https://gist.github.com/elico/f21dae7a34e1736f56a1995977852460 The above examples are good for pre-known domains similar to the script you wrote in your blog but it gives some form of dynamics to the firewall rules. I believe that the best formula is to combine both squid splice with ipset and domains resolution and the bypass rules. Using squid you will be able to splice domains automatically and with a daily log analysis of squid access.log files you might be able to find new domains that you can add into your firewall level bypassed domains. Let me know if it sounds good and it worth a wiki article. Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Nicolas Kovacs Sent: Sunday, March 11, 2018 10:07 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Allow some domains to bypass Squid Hi, I have Squid setup as a transparent HTTP+HTTPS proxy in my local network, using SSL-Bump. The configuration works quite nicely, according to /var/log/squid/cache.log and /var/log/squid/access.log. This being said, I am having trouble with a handful of domains like Github, or my OwnCloud installation. I have an OwnCloud server installed at https://cloud.microlinux.fr, and everytime I fire up a client, I have to confirm the use of an untrusted certificate. And on my workstation, I can't connect to my Github repository anymore. Here's the error I get. # git pull fatal: unable to access 'https://github.com/kikinovak/centos- 7-desktop-kde/': Peer's certificate issuer has been marked as not trusted by the user. So I thought the best thing to do is to create an exception for this handful of domains with issues. Can I configure some domains to simply bypass the proxy in my current (transparent) setup? Ideally, the configuration should be able to read a simple text file containing said domains, something like /etc/squid/bypass-these-domains.txt. And then these bypass the proxy and get treated regularly, as if there was no proxy? Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@xxxxxxxxxxxxx Tél. : 04 66 63 10 32 _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
