|
dhipo
|
 |
« on: September 14, 2007, 11:13:32 am » |
|
i want setup transparent proxy to all clients ... this is really easy on squid package.... but here in Brazil some S#1t banks are using proprietary protocols on port 80 ... then i need do an rule to bypass squid transparent proxy when destination is to that sites ... anybody knows haow can o do this ?
|
|
|
|
« Last Edit: September 20, 2007, 07:35:52 pm by dhipo »
|
Logged
|
|
|
|
|
|
mhab12
|
 |
« Reply #1 on: September 17, 2007, 12:38:13 am » |
|
Have you tried the 'do not cache' feature. That might help but I believe the traffic will still flow through Squid on port 80, thereby getting dropped since it isn't HTTP...worth a try.
|
|
|
|
|
Logged
|
|
|
|
|
|
dhipo
|
|
« Reply #2 on: September 18, 2007, 08:07:52 am » |
|
yeap ... i tried "do not cache" with no success...
i think what the way is ...
catch all traffic to port 80, except to that sites, and redirect to squid.
traffic to that sites must pass directly..
but i can't see the way to do this in interface.
helps are welcome
|
|
|
|
|
Logged
|
|
|
|
|
|
dhipo
|
|
« Reply #3 on: September 20, 2007, 07:34:52 pm » |
|
success ... i did an simple hacking on squid.inc and now some sites are not catched by transparent proxy
this is the hacking ...
i changed the line
$rules .= "rdr on $iface proto tcp from any to ! ($iface) port 80 -> 127.0.0.1 port 80\n";
to this
$rules .= "rdr on $iface proto tcp from any to ! <mydirectsites> port 80 -> 127.0.0.1 port 80\n";
where mydirectsites is an aliases creates on gui and must contains the lan internal address and ip addresses of sites to not pass on squid .... in this mode i create an rule to permit traffic to port 80 of sites on mydirectsites
|
|
|
|
« Last Edit: September 20, 2007, 07:37:15 pm by dhipo »
|
Logged
|
|
|
|
|
|
Speck
|
|
« Reply #4 on: November 21, 2008, 06:54:09 pm » |
|
Hi, i tried your hack on my 1.2 release platform. It does not work if I try to use an alias  i can make this work if i specify the IP address instead of $iface, but not with alias... any idea? is the <alias> expression right? Thanks, bye Speck |
|
|
|
|
Logged
|
|
|
|
|
|
dhipo
|
|
« Reply #5 on: December 25, 2008, 05:54:32 pm » |
|
ok ..
i will try in single steps
1- in the pfsense GUI goto Firewall -> Aliases and create an alias with name DirectSites , take a look on cases, and insert the LAN address in the networks list with the format 192.168.1.1/32
2- drop to the pfsense console menu option 8, and go to /usr/local/pkg
3- edit file squid.inc and search for the line
$rules .= "rdr on $iface proto tcp from any to ! ($iface) port 80 -> 127.0.0.1 port 80\n";
to this
$rules .= "rdr on $iface proto tcp from any to ! <DirectSites> port 80 -> 127.0.0.1 port 80\n";
save
5- in pfsense GUI create a rule to permit traffic from LAN Subnet to alias DirectSites on port 80/443
6 - hit Save button on proxy server menu
|
|
|
|
« Last Edit: January 01, 2009, 07:20:47 pm by dhipo »
|
Logged
|
|
|
|
|
|
pfman
|
|
« Reply #6 on: January 05, 2009, 06:53:25 pm » |
|
For some reason, it does not work for me .....
I've followed your steps and squid + squidGuard still intercept the traffic ..... very frustrating ..
I even tried to add "always_direct" option but still have not been able to bypass squid + squidguard altogether.
any suggestion will help
T
|
|
|
|
|
Logged
|
|
|
|
|
|
lordarcane
|
|
« Reply #7 on: January 30, 2009, 08:56:30 am » |
|
I have the need of a feature quite like this on. In need squid to not catch traffic from all ipīs in my lan to some sites. As I have understood your hack, you take traffic from some internal ipīs to some external sites? Correct?
So, do you have any tips on how to make some sites to not go throught the proxy for some destination sites?
|
|
|
|
|
Logged
|
|
|
|
|
|
mhab12
|
|
« Reply #8 on: January 30, 2009, 01:27:54 pm » |
|
The new version of the squid package has a 'Do Not Proxy' field where you can enter local client IPs that should bypass the proxy altogether. That is not the focus of this post. The method mentioned above allows traffic TO certain DESTINATION sties to bypass the proxy, not FROM certain clients.
|
|
|
|
|
Logged
|
|
|
|
|
|
lordarcane
|
|
« Reply #9 on: February 10, 2009, 05:28:50 am » |
|
Yea, but that is exactly what I want. To let traffic from all ipīs TO some sites bypass the proxy! And, the hack did not seem to do it. Since i would like to use something like this catch everything but if destinatio is " www.google.se" then bypass the proxy |
|
|
|
« Last Edit: February 10, 2009, 06:01:40 am by lordarcane »
|
Logged
|
|
|
|
|
|
itsmorefun
|
|
« Reply #10 on: March 01, 2009, 05:08:10 am » |
|
Also note that Squid bypass firewall rules: case 'filter': foreach ($ifaces as $iface){ $rules .= "# Setup squid pass rules for proxy\n"; $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n"; $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n"; $rules .= "\n"; }; http://forum.pfsense.org/index.php/topic,14607.msg77308.html#msg77308 |
|
|
|
« Last Edit: March 01, 2009, 06:32:28 am by itsmorefun »
|
Logged
|
|
|
|
|
|
lordarcane
|
|
« Reply #11 on: March 02, 2009, 04:57:37 am » |
|
It really would be supersimple to just have a list in the GUI for adresses not to be forwarded through the proxy when running transparent.
Catch everything but the sites in the list. =)
|
|
|
|
|
Logged
|
|
|
|
|
|
sussox
|
|
« Reply #12 on: March 25, 2009, 08:13:53 am » |
|
I to managed to get the proxy-bypass working with this hack. Thanks for the tip! However, it would be VERY nice to have a GUI-option that does the same thing in a "legit" way. I guess this hack will break when i upgrade squid etc..
|
|
|
|
|
Logged
|
|
|
|
|
|
mhab12
|
|
« Reply #13 on: March 25, 2009, 11:48:52 am » |
|
squid.conf is rebuilt from squid.inc on each boot. If you make your changes to squid.inc, everything should "stick".
|
|
|
|
|
Logged
|
|
|
|
|
|
pfSense Forum
