Search squid archive

Re: Allow some domains to bypass Squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey Nicolas,

If you are running a squid which doesn't have a mandatory rule of "Block first and then allow" or what in the security industry will be named "up-tight" then Yuri solution is the right path.
But... as a rule of thumb, if you don't need to pass the traffic into the proxy software don’t and allow or block whatever you can on the OS firewall level.
I wrote couple example bypass scripts:
https://gist.github.com/elico/e0faadf0cc63942c5aaade808a87deef
https://gist.github.com/elico/a54c2c8f8e1a2407b42210896b960f4b

For a non router\proxy linux system:
https://gist.github.com/elico/f21dae7a34e1736f56a1995977852460

The above examples are good for pre-known domains similar to the script you wrote in your blog but it gives some form of dynamics to the firewall rules.
I believe that the best formula is to combine both squid splice with ipset and domains resolution and the bypass rules.
Using  squid you will be able to splice domains automatically and with a daily log analysis of squid access.log files you might be able to find new domains that you can add into your firewall level bypassed domains.

Let me know if it sounds good and it worth a wiki article.
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer@xxxxxxxxxxxx


-----Original Message-----
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Nicolas Kovacs
Sent: Sunday, March 11, 2018 10:07
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject:  Allow some domains to bypass Squid

Hi,

I have Squid setup as a transparent HTTP+HTTPS proxy in my local
network, using SSL-Bump.

The configuration works quite nicely, according to
/var/log/squid/cache.log and /var/log/squid/access.log.

This being said, I am having trouble with a handful of domains like
Github, or my OwnCloud installation. I have an OwnCloud server installed
at https://cloud.microlinux.fr, and everytime I fire up a client, I have
to confirm the use of an untrusted certificate. And on my workstation, I
can't connect to my Github repository anymore. Here's the error I get.

  # git pull
  fatal: unable to access 'https://github.com/kikinovak/centos-
  7-desktop-kde/': Peer's certificate issuer has been marked as not
  trusted by the user.

So I thought the best thing to do is to create an exception for this
handful of domains with issues.

Can I configure some domains to simply bypass the proxy in my current
(transparent) setup? Ideally, the configuration should be able to read a
simple text file containing said domains, something like
/etc/squid/bypass-these-domains.txt. And then these bypass the proxy and
get treated regularly, as if there was no proxy?

Cheers,

Niki
-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info@xxxxxxxxxxxxx
Tél. : 04 66 63 10 32
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux