[squid-users] Bypass squid using iptables

2020-05-20 Thread Ben Goz 
B.H.

I'm using squid with c-icap module for specific content filtering. I
configured squid with ssl bump so website with WSS won't work on it as
mentioned on squid documentation. So for such URLs (with WSS) I need
bypassing squid. I read in some posts that squid doesn't fully supports
bypassing URLs and best way is to bypasses it via iptables.

Eventually I redirects browser traffic to my proxy machine using local
machine proxy settings, and Its redirects traffic to my machine with IP
x.x.x.x port 3128.

If I want to use the conservative iptables bypassing how should I config my
machine? and how iptables rules should looks like?

Any help will be appreciated.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypass squid using iptables

2020-07-05 Thread Ben Goz 
B.H
Sorry I tried this and it doesn't work.
Any other suggestions please?

‫בתאריך יום ב׳, 25 במאי 2020 ב-13:40 מאת ‪Amos Jeffries‬‏ <‪
squ...@treenet.co.nz‬‏>:‬

> On 25/05/20 10:09 pm, Ben Goz wrote:
> > B.H
> >>Tunneling it elsewhere,
> > Where can I tunnel it? and how can I configure my machine to support it?
> >
>
> You will need at least Squid-4, with this line in squid.conf:
>
>   on_unsupported_protocol tunnel
>
> see also 
>
> Squid will blindly tunnel the protocols it does not understand to
> whatever server IP:port the client was trying to connect to.
>
>
> Amos
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypass squid using iptables

2020-05-24 Thread Amos Jeffries 
On 21/05/20 3:49 am, Ben Goz wrote:
> B.H.
> 
> I'm using squid with c-icap module for specific content filtering. I
> configured squid with ssl bump so website with WSS won't work on it as
> mentioned on squid documentation. So for such URLs (with WSS) I need
> bypassing squid. I read in some posts that squid doesn't fully supports
> bypassing URLs and best way is to bypasses it via iptables.
> 
> Eventually I redirects browser traffic to my proxy machine using local
> machine proxy settings, and Its redirects traffic to my machine with IP
> x.x.x.x port 3128.
> 
> If I want to use the conservative iptables bypassing how should I config
> my machine? and how iptables rules should looks like?
> 

Since you are redirecting the traffic to Squid in the first place. All
you have to do is *not* redirect the relevant traffic. See your firewall
software documentation on how to configure that.


The hard part is figuring out which traffic you want the proxy to
service, and what to bypass given only a TCP SYN packet.


Be aware that once a TCP SYN+ACK packet is delivered to accept the
connection Squid *has* to service that TCP connection in its entirety.
Such 'service' may mean terminating it without any traffic, tunneling it
elsewhere, or full processing of the traffic.
 Either way Squid is the agent servicing it. You cannot have iptables
suddenly divert packets to other software mid-stream.


HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypass squid using iptables

2020-05-25 Thread Ben Goz 
B.H
>Tunneling it elsewhere,
Where can I tunnel it? and how can I configure my machine to support it?

>You cannot have iptables suddenly divert packets to other software
mid-stream.
I want to tunnel it by IP or translate a group of URLs to IPs I'm not sure
if this is the case that you mentioned,
Because I can do it before squid handles TCP session initialization.

The issue here is as I said that I want bypass WSS and other stuff that
squid can't technically support for known list of IPs (or URLS).
Do you have any recommended configuration for this requirement?

Regards,
Ben
suddenly divert packets to other software mid-stream.

‫בתאריך יום ב׳, 25 במאי 2020 ב-9:56 מאת ‪Amos Jeffries‬‏ <‪
squ...@treenet.co.nz‬‏>:‬

> On 21/05/20 3:49 am, Ben Goz wrote:
> > B.H.
> >
> > I'm using squid with c-icap module for specific content filtering. I
> > configured squid with ssl bump so website with WSS won't work on it as
> > mentioned on squid documentation. So for such URLs (with WSS) I need
> > bypassing squid. I read in some posts that squid doesn't fully supports
> > bypassing URLs and best way is to bypasses it via iptables.
> >
> > Eventually I redirects browser traffic to my proxy machine using local
> > machine proxy settings, and Its redirects traffic to my machine with IP
> > x.x.x.x port 3128.
> >
> > If I want to use the conservative iptables bypassing how should I config
> > my machine? and how iptables rules should looks like?
> >
>
> Since you are redirecting the traffic to Squid in the first place. All
> you have to do is *not* redirect the relevant traffic. See your firewall
> software documentation on how to configure that.
>
>
> The hard part is figuring out which traffic you want the proxy to
> service, and what to bypass given only a TCP SYN packet.
>
>
> Be aware that once a TCP SYN+ACK packet is delivered to accept the
> connection Squid *has* to service that TCP connection in its entirety.
> Such 'service' may mean terminating it without any traffic, tunneling it
> elsewhere, or full processing of the traffic.
>  Either way Squid is the agent servicing it. You cannot have iptables
> suddenly divert packets to other software mid-stream.
>
>
> HTH
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Bypass squid using iptables

2020-05-25 Thread Amos Jeffries 
On 25/05/20 10:09 pm, Ben Goz wrote:
> B.H
>>Tunneling it elsewhere,
> Where can I tunnel it? and how can I configure my machine to support it?
> 

You will need at least Squid-4, with this line in squid.conf:

  on_unsupported_protocol tunnel

see also 

Squid will blindly tunnel the protocols it does not understand to
whatever server IP:port the client was trying to connect to.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users