Bypass squid using iptables

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bypass squid using iptables

Ben Goz

B.H.

I'm using squid with c-icap module for specific content filtering. I configured squid with ssl bump so website with WSS won't work on it as mentioned on squid documentation. So for such URLs (with WSS) I need bypassing squid. I read in some posts that squid doesn't fully supports bypassing URLs and best way is to bypasses it via iptables.

Eventually I redirects browser traffic to my proxy machine using local machine proxy settings, and Its redirects traffic to my machine with IP x.x.x.x port 3128.

If I want to use the conservative iptables bypassing how should I config my machine? and how iptables rules should looks like?

Any help will be appreciated.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Bypass squid using iptables

Amos Jeffries
Administrator
On 21/05/20 3:49 am, Ben Goz wrote:

> B.H.
>
> I'm using squid with c-icap module for specific content filtering. I
> configured squid with ssl bump so website with WSS won't work on it as
> mentioned on squid documentation. So for such URLs (with WSS) I need
> bypassing squid. I read in some posts that squid doesn't fully supports
> bypassing URLs and best way is to bypasses it via iptables.
>
> Eventually I redirects browser traffic to my proxy machine using local
> machine proxy settings, and Its redirects traffic to my machine with IP
> x.x.x.x port 3128.
>
> If I want to use the conservative iptables bypassing how should I config
> my machine? and how iptables rules should looks like?
>

Since you are redirecting the traffic to Squid in the first place. All
you have to do is *not* redirect the relevant traffic. See your firewall
software documentation on how to configure that.


The hard part is figuring out which traffic you want the proxy to
service, and what to bypass given only a TCP SYN packet.


Be aware that once a TCP SYN+ACK packet is delivered to accept the
connection Squid *has* to service that TCP connection in its entirety.
Such 'service' may mean terminating it without any traffic, tunneling it
elsewhere, or full processing of the traffic.
 Either way Squid is the agent servicing it. You cannot have iptables
suddenly divert packets to other software mid-stream.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Bypass squid using iptables

Ben Goz
B.H
>Tunneling it elsewhere,
Where can I tunnel it? and how can I configure my machine to support it?

>You cannot have iptables suddenly divert packets to other software mid-stream.
I want to tunnel it by IP or translate a group of URLs to IPs I'm not sure if this is the case that you mentioned,
Because I can do it before squid handles TCP session initialization.

The issue here is as I said that I want bypass WSS and other stuff that squid can't technically support for known list of IPs (or URLS).
Do you have any recommended configuration for this requirement?

Regards,
Ben
suddenly divert packets to other software mid-stream.

‫בתאריך יום ב׳, 25 במאי 2020 ב-9:56 מאת ‪Amos Jeffries‬‏ <‪[hidden email]‬‏>:‬
On 21/05/20 3:49 am, Ben Goz wrote:
> B.H.
>
> I'm using squid with c-icap module for specific content filtering. I
> configured squid with ssl bump so website with WSS won't work on it as
> mentioned on squid documentation. So for such URLs (with WSS) I need
> bypassing squid. I read in some posts that squid doesn't fully supports
> bypassing URLs and best way is to bypasses it via iptables.
>
> Eventually I redirects browser traffic to my proxy machine using local
> machine proxy settings, and Its redirects traffic to my machine with IP
> x.x.x.x port 3128.
>
> If I want to use the conservative iptables bypassing how should I config
> my machine? and how iptables rules should looks like?
>

Since you are redirecting the traffic to Squid in the first place. All
you have to do is *not* redirect the relevant traffic. See your firewall
software documentation on how to configure that.


The hard part is figuring out which traffic you want the proxy to
service, and what to bypass given only a TCP SYN packet.


Be aware that once a TCP SYN+ACK packet is delivered to accept the
connection Squid *has* to service that TCP connection in its entirety.
Such 'service' may mean terminating it without any traffic, tunneling it
elsewhere, or full processing of the traffic.
 Either way Squid is the agent servicing it. You cannot have iptables
suddenly divert packets to other software mid-stream.


HTH
Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Bypass squid using iptables

Amos Jeffries
Administrator
On 25/05/20 10:09 pm, Ben Goz wrote:
> B.H
>>Tunneling it elsewhere,
> Where can I tunnel it? and how can I configure my machine to support it?
>

You will need at least Squid-4, with this line in squid.conf:

  on_unsupported_protocol tunnel

see also <http://www.squid-cache.org/Doc/config/on_unsupported_protocol/>

Squid will blindly tunnel the protocols it does not understand to
whatever server IP:port the client was trying to connect to.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users