[squid-users] bypass

[hadi]

I  need some clarification regard my code,
If the user bypass SplashRules.html and enter in the url SplashAccepted.html
it will allow internet for him ? and will create session for him ? or he
have to go thru SplashRules.html ?
I want to restrict the user to SplashRules.html then click on agree button
to browse the net 
My question here what if he bypass SplashRules.html and enter in url
address of SplashAccepted.html is going to allow him for accessing  the net
?


1. external_acl_type session concurrency=100 ttl=3 %SRC
/usr/lib/squid3/ext_session_acl -a -T 10800 -b /etc/squid3/session/
2. 
3. acl session_login external session LOGIN
4. 
5. external_acl_type session_active_def concurrency=100 ttl=3 %SRC
/usr/lib/squid3/ext_session_acl -a -T 10800 -b /etc/squid3/session/
6. 
7. acl session_is_active external session_active_def
8. acl clicked_login_url urlpath_regex -i SplashAccepted.html
9. 
10. acl Bypass_Cache_Peer dstdomain .guestwifi.local
11. acl splash dstdomain .guestwifi.local
12. 
13. deny_info http://service.guestwifi.local/SplashRules.html
session_is_active
14. 
15. http_access allow clicked_login_url session_login
16. http_access allow splash
17. http_access deny !session_is_active

[squid-users] Bypass ICAP

[Thiago Cruz]

Hi all,

Is it possible to bypass the ICAP when the acl
"sites_no_authentication" match?  I'd like to do this because this ACL
don't require user authentication and the icap server only accept
request that send user authentication.

acl sites_no_authentication url_regex "/etc/squid/sites_no_auth"
http_access allow sites_no_authentication
always_direct allow sites_no_authentication

icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class filtro_url service_1 service_2
icap_access filtro_url allow all

I'm using squid Version 3.0.PRE6-20070718.

Regards,
Thiago Cruz

[squid-users] Bypass squid

[rick bohaty]

I am using squid and have set my workstations to point
to the squid server as the default gateway. Problem is
I have non-http programs that need to get out to the
interent. How do I tell squid to pass these requests
on to the internet?

Thanx

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

[squid-users] bypass localnet

[Norman Zhang]

Hi,

I have proxy setup to authenticate users via NTLM for internet access. I
can't seem to able to allow local users to bypass authentication for
localsubnets http access. May I asked what ACL I need to set?

Regards,
Norman

external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group

acl ProxyUsers external NT_global_group ProxyUsers
acl authusrs proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80  # http
acl Safe_ports port 21  # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70  # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl localnet src 192.168.x.0/26 192.168.y.0/25

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
# http_access allow localnet
http_access allow authusrs ProxyUsers
# http_access allow authusrs localnet
http_access allow localhost
http_access deny all

[squid-users] bypass=on?

[Ralf Hildebrandt]

>From my log:

Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Reconfiguring Squid Cache (version 
3.4.0.2-20131115-r13027)...
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Closing HTTP port 0.0.0.0:8080
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Stop receiving ICP on 0.0.0.0:3130
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Closing SNMP receiving port 
0.0.0.0:3401
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Stop sending ICP from 0.0.0.0:3130
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Logfile: closing log 
stdio:/var/log/squid3/access.log
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Startup: Initializing Authentication 
Schemes ...
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Startup: Initialized Authentication 
Scheme 'basic'
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Startup: Initialized Authentication 
Scheme 'digest'
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Startup: Initialized Authentication 
Scheme 'negotiate'
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Startup: Initialized Authentication 
Scheme 'ntlm'
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Startup: Initialized Authentication.
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Processing Configuration File: 
/etc/squid3/squid.conf (depth 0)
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: Processing Configuration File: 
/etc/squid3/squid-icap.conf.3.3 (depth 1)
Nov 23 18:00:34 proxy-cbf-1 squid[5874]: UPGRADE: Please use 'bypass=on' option 
to enable service bypass

my /etc/squid3/squid-icap.conf.3.3 looks like this; I already have
"bypass=on" statement:

icap_enable on

icap_send_client_ip on
icap_send_client_username on
icap_client_username_encode off
icap_client_username_header X-Authenticated-User

icap_preview_enable on
icap_preview_size 1024

icap_service_failure_limit -1

icap_service service_resp respmod_precache bypass=on 
icap://127.0.0.1:1344/srv_clamav
icap_service service_req  reqmod_precache  bypass=on 
icap://127.0.0.1:1344/srv_clamav
# Im Fehlerfall - bypass!

adaptation_access service_resp allow all
adaptation_access service_req  allow all

# someone can setup his/her squid to get c-icap statistics from the web
acl infoaccess dstdomain icap.info

icap_service service_info reqmod_precache 1 icap://127.0.0.1:1344/info
adaptation_service_set class_info service_info

adaptation_access class_info allow infoaccess
adaptation_access class_info deny all

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

[squid-users] bypass ICAP

[[EMAIL PROTECTED]]

hi list,
I got the latest stable version 2.5STABLE13
with the ICAP patch running.

How to bypass ICAP for some URL´s?
Can I do this with acls?

like that:
> acl foobar_server url_regex foobar\.com
> icap_access class_1 allow !foobar_server all

I want to pass all the requests to the
ICAP server except some urls.

I know there is a bypass feature implemented but
this only works when the ICAP server is not reachable.

thx
doehni

[squid-users] Bypass Squid

[Brad Taylor]

Incase Squid failed but the box/OS didn't is there a way allow a request
to go through to the web server?   

[squid-users] bypass squid

[Nont Banditwong]

Dear Group,
I've a problem about transparent proxy using squid but it is not squid 
problem
I've a stock trading program that communicate with it's server by port 
80 before
traffic redirected to squid this program work well but after it's 
redirected the program
can not login and get any data. I've discover the problem and find that 
this program
use ftp protocol instead of http on port 80. Is there a way to bypass 
this traffic to
origin server directly ?

Thank you.

[squid-users] bypass certain IP

[Said Jaffer]

Hello,

I have a Centos configured as bridge, squid running in transparent mode, tproxy.

I would like to exclude few IP from not being redirected, as few
routers are getting spoofing errors.

the below rule is running,

iptables -t tproxy -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 3128

what iptables rules do i need to bypass certain IPS from redirections.


Many thanks.

[squid-users] Bypass ICAP somehow?

[Ralf Hildebrandt]

Can I selectively bypass the use of ICAP (we're using c-icap) for certain
* client IPs
* destination URLs
* destination IPs

Squid 3.2.0.x

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: [squid-users] Bypass ICAP

[Henrik Nordstrom]

On mån, 2007-09-17 at 18:41 -0300, Thiago Cruz wrote:
> Hi all,
> 
> Is it possible to bypass the ICAP when the acl
> "sites_no_authentication" match?  I'd like to do this because this ACL
> don't require user authentication and the icap server only accept
> request that send user authentication.
> 
> acl sites_no_authentication url_regex "/etc/squid/sites_no_auth"
> http_access allow sites_no_authentication
> always_direct allow sites_no_authentication
> 
> icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
> icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
> icap_class filtro_url service_1 service_2

icap_access filtro_url deny sites_no_authentication

> icap_access filtro_url allow all

Regards
Henrik


signature.asc
Description: This is a digitally signed message part

[squid-users] bypass squid cache

[simon benedict]

Dear All,

i have been using squid on Red hat linux for a long
time and its workin perfectly fine

recently we changed our ISP and we found that our
users on private IP's were not able to sign in with
YAHOO MESSANGER OR WINDOWS MESSANGER.

when contacted the ISP it was told that we have to
bypass the squid cache and probably it may work


i tried googling but was not very sucessful..

apprecite if anyone can advise n let me know if i
could bypass squid cache for YAHOO MESSANGER and
WINDOWS MESSNAGER for my private ip users

but all the browsing works perfect

Really appreciate your help


regards

simon



  

Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  
http://tools.search.yahoo.com/newsearch/category.php?category=shopping

[squid-users] bypass urls - wccp

[Alexandre Correa]

Hello,

How to tell wccp to no redirect some urls to proxy ?

-- 

Sds.
Alexandre J. Correa
Onda Internet / OPinguim.net
http://www.ondainternet.com.br
http://www.opinguim.net

[squid-users] BYPASS UPON FAILURE

[Sadiq Walji]

Hello,
I am new to squid and we have squid caching running on a server for users
and have a query as follows:

When squid fails, all the users cannot browse and we have to manually stop
squid to bypass it. Is there any way/feature that enables to bypass squid
automatically if and when it fails or has some problems?

Kindly assist
Thanks,
Sadiq Walji

Re: [squid-users] Bypass squid

[Joel Jaeggli]

you don't... in linux you would use iptables to forward packets on behalf 
of the internal network... squid is just an http proxy it won't take out 
your trash or wash your car.

joelja

 On Mon, 28 Jul 2003, rick bohaty wrote:

> I am using squid and have set my workstations to point
> to the squid server as the default gateway. Problem is
> I have non-http programs that need to get out to the
> interent. How do I tell squid to pass these requests
> on to the internet?
> 
> Thanx
> 
> __
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> 

-- 
-- 
Joel Jaeggli  Academic User Services   [EMAIL PROTECTED]
--PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E  --
  In Dr. Johnson's famous dictionary patriotism is defined as the last
  resort of the scoundrel.  With all due respect to an enlightened but
  inferior lexicographer I beg to submit that it is the first.
-- Ambrose Bierce, "The Devil's Dictionary"

RE: [squid-users] Bypass squid

[Mark A. Lewis]

Guess I need to get my squid box out of the driveway and take away the
sponge then

-Original Message-
From: Joel Jaeggli [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2003 11:44 AM
To: rick bohaty
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Bypass squid

you don't... in linux you would use iptables to forward packets on
behalf 
of the internal network... squid is just an http proxy it won't take out

your trash or wash your car.

joelja

 On Mon, 28 Jul 2003, rick bohaty wrote:

> I am using squid and have set my workstations to point
> to the squid server as the default gateway. Problem is
> I have non-http programs that need to get out to the
> interent. How do I tell squid to pass these requests
> on to the internet?
> 
> Thanx
> 
> __
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free, easy-to-use web site design software
> http://sitebuilder.yahoo.com
> 

-- 

-- 
Joel Jaeggli  Academic User Services
[EMAIL PROTECTED]
--PGP Key Fingerprint: 1DE9 8FCA 51FB 4195 B42A 9C32 A30D 121E
--
  In Dr. Johnson's famous dictionary patriotism is defined as the last
  resort of the scoundrel.  With all due respect to an enlightened but
  inferior lexicographer I beg to submit that it is the first.
-- Ambrose Bierce, "The Devil's Dictionary"

**
This message was virus scanned at mail.siliconjunkie.net and
any known viruses were removed. For a current virus list
see http://www.siliconjunkie.net/antivirus/list.html

Re: [squid-users] Bypass squid

[Henrik Nordstrom]

On Monday 28 July 2003 19.03, Mark A. Lewis wrote:
> Guess I need to get my squid box out of the driveway and take away
> the sponge then

Not at all.

You only need to make that box (not Squid) do yet another function, 
forwarding of non-HTTP traffic (most likely using NAT/masquerade).

Squid is NOT a box. Squid is a HTTP proxy which runs on top of more or 
less any reasonably modern operating system. Other functions like 
email, irc, firewalling, NAT, routing etc needs other software, but 
all can perfectly fine share the very same box provided the operating 
system used can support them..

Squid only claims to be a HTTP proxy. Squid never claims world 
domination or to be able to solve all your problems. The developers 
of Squid believe it is better to use several smaller software each 
specialized in performing their respective functions really well than 
trying to make a single huge software which tries to do everything at 
once but not so good.

-- 
Donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org

If you need commercial Squid support or cost effective Squid or
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, [EMAIL PROTECTED]

Re: [squid-users] bypass localnet

[Adam Aube]

>I have proxy setup to authenticate users via NTLM for internet access.
I
>can't seem to able to allow local users to bypass authentication for
>localsubnets http access. May I asked what ACL I need to set?

You need to create a dst acl with the IP addresses for your local
subnet, then put an http_access line allowing access to that acl
before your http_access line that requires authentication.

See the default Squid.conf and the FAQ if you need more info.

Adam

Re: [squid-users] bypass=on?

[Amos Jeffries]

On 26/11/2013 2:02 a.m., Ralf Hildebrandt wrote:
> Nov 23 18:00:34 proxy-cbf-1 squid[5874]: UPGRADE: Please use 'bypass=on' 
> option to enable service bypass
> 
> my /etc/squid3/squid-icap.conf.3.3 looks like this; I already have
> "bypass=on" statement:
> 


> 
> icap_service service_info reqmod_precache 1 icap://127.0.0.1:1344/info

I believe its talking about this one  ^^^.

Amos

Re: [squid-users] bypass=on?

[Ralf Hildebrandt]

* Amos Jeffries :

> > icap_service service_info reqmod_precache 1 icap://127.0.0.1:1344/info
> 
> I believe its talking about this one  ^^^.

Oh yes. Damn.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

Re: [squid-users] bypass ICAP

[[EMAIL PROTECTED]]

here is the answer

a) put some URLs in bypass.txt u want to bypass ICAP
b) and change the squid.conf like

acl bypass url_regex "/etc/squid/bypass.txt"
icap_enable on
icap_send_client_ip on
icap_send_auth_user on
icap_auth_scheme Local://%u
icap_service service_1 reqmod_precache 0 icap://127.0.0.1:1344/wwreqmod
icap_service service_2 respmod_precache 0 icap://127.0.0.1:1344/wwrespmod
icap_class class_1 service_1 service_2
icap_access class_1 deny bypass
icap_access class_1 allow all

cheers
doehni




[EMAIL PROTECTED] wrote:

hi list,
I got the latest stable version 2.5STABLE13
with the ICAP patch running.

How to bypass ICAP for some URL´s?
Can I do this with acls?

like that:

acl foobar_server url_regex foobar\.com
icap_access class_1 allow !foobar_server all


I want to pass all the requests to the
ICAP server except some urls.

I know there is a bypass feature implemented but
this only works when the ICAP server is not reachable.

Re: [squid-users] Bypass Squid

[Andreas Pettersson]

Yes, use a proxy.pac autoconfiguration file on your clients.

/Andreas


- Ursprungligt meddelande - 
Från: "Brad Taylor" <[EMAIL PROTECTED]>
Till: <[EMAIL PROTECTED]>
Skickat: den 7 september 2004 17:37
Ämne: [squid-users] Bypass Squid


> Incase Squid failed but the box/OS didn't is there a way allow a request
> to go through to the web server?   
>

RE: [squid-users] Bypass Squid

[Brad Taylor]

Sorry, I mean when squid is used for web acceleration.

-Original Message-
From: Andreas Pettersson [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 07, 2004 11:47 AM
To: squid-users
Subject: Re: [squid-users] Bypass Squid

Yes, use a proxy.pac autoconfiguration file on your clients.

/Andreas


- Ursprungligt meddelande - 
Från: "Brad Taylor" <[EMAIL PROTECTED]>
Till: <[EMAIL PROTECTED]>
Skickat: den 7 september 2004 17:37
Ämne: [squid-users] Bypass Squid


> Incase Squid failed but the box/OS didn't is there a way allow a
request
> to go through to the web server?   
> 

Re: [squid-users] Bypass Squid

[Henrik Nordstrom]

On Tue, 7 Sep 2004, Brad Taylor wrote:
Incase Squid failed but the box/OS didn't is there a way allow a request
to go through to the web server?
Trivial if using proxy autoconfiguration scripts.. just have DIRECT as the 
second option.

Regards
Henrik

RE: [squid-users] Bypass Squid

[Brad Taylor]

What about when using Squid in web server acceleration mode?


-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Saturday, September 11, 2004 6:52 AM
To: Brad Taylor
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Bypass Squid

On Tue, 7 Sep 2004, Brad Taylor wrote:

> Incase Squid failed but the box/OS didn't is there a way allow a
request
> to go through to the web server?

Trivial if using proxy autoconfiguration scripts.. just have DIRECT as
the 
second option.

Regards
Henrik

RE: [squid-users] Bypass Squid

[Henrik Nordstrom]

On Sun, 12 Sep 2004, Brad Taylor wrote:
What about when using Squid in web server acceleration mode?
What about it?
If you want clients to bypass the accelerator then they need to speak 
directly to the web server.

You can however make Squid bypass the cache if this is what you are 
looking for. See no_cache.

Regards
Henrik

RE: [squid-users] Bypass Squid

[Brad Taylor]

I'm wondering how I could redirect the client request to the back end
server if Squid stopped working for some reason. This would be while
squid was in reverse proxy mode and we would not have access to the
clients.  Any thoughts on if this could be done?

-Original Message-
From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 13, 2004 4:17 AM
To: Brad Taylor
Cc: Henrik Nordstrom; [EMAIL PROTECTED]
Subject: RE: [squid-users] Bypass Squid

On Sun, 12 Sep 2004, Brad Taylor wrote:

> What about when using Squid in web server acceleration mode?

What about it?

If you want clients to bypass the accelerator then they need to speak 
directly to the web server.

You can however make Squid bypass the cache if this is what you are 
looking for. See no_cache.

Regards
Henrik

RE: [squid-users] Bypass Squid

[Chris Perreault]

 

-Original Message-
From: Brad Taylor [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 13, 2004 11:08 AM
To: Henrik Nordstrom
Cc: [EMAIL PROTECTED]
Subject: RE: [squid-users] Bypass Squid

I'm wondering how I could redirect the client request to the back end server
if Squid stopped working for some reason. This would be while squid was in
reverse proxy mode and we would not have access to the clients.  Any
thoughts on if this could be done?


`
~

A public DNS record has an entry saying 12.12.12.12 is what yoursite.com
resolves to. Squid (at 12.12.12.12) is saying traffic coming in to
yoursite.com should really go to 10.10.10.10, on your back-end network.
Squid goes down and it is just like your webserver goes down. What happens
if your webserver goes down and your clients don't have access to it?

Ie: your webserver is critical, so there are two of them, for
redundancy/failover. If your webserver is that critical, then your
infrastructure to it should be just as redundant so you don't have a single
point of failure. In that case, having two squid boxes set up for failover
would do the trick.

OR...call the person who manages DNS for you and have them change the IP
address to wherever your website can be reached.

OR..unplug squid and let traffic through to the back end
webserver...although it would be more secure to move the webserver to
wherever squid sits and give it the 12.12.12.12. ip address.

In a nutshell, everyone thinks your proxy is your webserver. If it goes down
people will still try to reach it.

Chris

RE: [squid-users] Bypass Squid

[Henrik Nordstrom]

On Mon, 13 Sep 2004, Brad Taylor wrote:
I'm wondering how I could redirect the client request to the back end
server if Squid stopped working for some reason. This would be while
squid was in reverse proxy mode and we would not have access to the
clients.  Any thoughts on if this could be done?
How is the requests getting to Squid? Change that to refer to the backend.
Or use a TCP plug or similar "trivial proxy" in place of Squid.
Regards
Henrik

RE: [squid-users] Bypass Squid

[Brad Taylor]

I guess I'm looking for a way for the Squid server to check that port 80
and 443 are being accepted.  If for some reason they are not, I'd like
traffic to just be forwarded to the backend server.  What ways could
this be done?

-Original Message-
From: Chris Perreault [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 13, 2004 12:04 PM
To: Brad Taylor
Cc: [EMAIL PROTECTED]
Subject: RE: [squid-users] Bypass Squid

 

-Original Message-
From: Brad Taylor [mailto:[EMAIL PROTECTED] 
Sent: Monday, September 13, 2004 11:08 AM
To: Henrik Nordstrom
Cc: [EMAIL PROTECTED]
Subject: RE: [squid-users] Bypass Squid

I'm wondering how I could redirect the client request to the back end
server
if Squid stopped working for some reason. This would be while squid was
in
reverse proxy mode and we would not have access to the clients.  Any
thoughts on if this could be done?


`
~

A public DNS record has an entry saying 12.12.12.12 is what yoursite.com
resolves to. Squid (at 12.12.12.12) is saying traffic coming in to
yoursite.com should really go to 10.10.10.10, on your back-end network.
Squid goes down and it is just like your webserver goes down. What
happens
if your webserver goes down and your clients don't have access to it?

Ie: your webserver is critical, so there are two of them, for
redundancy/failover. If your webserver is that critical, then your
infrastructure to it should be just as redundant so you don't have a
single
point of failure. In that case, having two squid boxes set up for
failover
would do the trick.

OR...call the person who manages DNS for you and have them change the IP
address to wherever your website can be reached.

OR..unplug squid and let traffic through to the back end
webserver...although it would be more secure to move the webserver to
wherever squid sits and give it the 12.12.12.12. ip address.

In a nutshell, everyone thinks your proxy is your webserver. If it goes
down
people will still try to reach it.

Chris

RE: [squid-users] Bypass Squid

[Brad Taylor]

> I'm wondering how I could redirect the client request to the back end
> server if Squid stopped working for some reason. This would be while
> squid was in reverse proxy mode and we would not have access to the
> clients.  Any thoughts on if this could be done?

>>How is the requests getting to Squid? Change that to refer to the
backend.

DNS, not really an option.  Other than an extra Squid server, I'm
looking for something real time.

>>Or use a TCP plug or simlar "trivial proxy" in place of Squid.

Could the TCP plug or "trivial proxy" be activated only if Squid failed?
Do you know where I could find more info on doing something like this?

Brad

RE: [squid-users] Bypass Squid

[Henrik Nordstrom]

On Mon, 13 Sep 2004, Brad Taylor wrote:
How is the requests getting to Squid? Change that to refer to the
backend.
DNS, not really an option.  Other than an extra Squid server, I'm
looking for something real time.
Which leaves IP or proxying.
Or use a TCP plug or simlar "trivial proxy" in place of Squid.
Could the TCP plug or "trivial proxy" be activated only if Squid failed? 
Do you know where I could find more info on doing something like this?
xinetd includes simple TCP plog or port forwarding as it is alsok known 
by, but there exists very many different such software. One of the older 
(and from where the name comes) is the tcp plug in the TIS Firewall 
Toolkit.

There is about as many ways to doing this as there is words in this 
message. Too many to describe them all. None is really related to Squid, 
just how to get traffic from one place to another.

Regards
Henrik

Re: [squid-users] Bypass Squid

[Hendrik Voigtländer]

Chris Perreault wrote:
> OR...call the person who manages DNS for you and have them change the IP
> address to wherever your website can be reached.
>
I think changing DNS information is not an option as it will not work 
immediately due to DNS caching.

Regards, Hendrik Voigtländer

RE: [squid-users] Bypass Squid

[Chris Perreault]

I agree...and assummed he knew this too. He wanted users to end up at a
different physical server and without a second failover solution that was
the only thing I could think of to try and explain how users ended up at his
servers. Once you hit squid, you are there. If you look for squid and it's
failed, you are stuck, it can't just pass you through anyways. 

-Original Message-
From: Hendrik Voigtländer [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 14, 2004 10:03 AM
To: Chris Perreault
Cc: Brad Taylor; [EMAIL PROTECTED]
Subject: Re: [squid-users] Bypass Squid

Chris Perreault wrote:

 > OR...call the person who manages DNS for you and have them change the IP
> address to wherever your website can be reached.
 >

I think changing DNS information is not an option as it will not work
immediately due to DNS caching.

Regards, Hendrik Voigtländer

Re: [squid-users] Bypass Squid

[Hendrik Voigtländer]

Chris Perreault wrote:
I agree...and assummed he knew this too. He wanted users to end up at a
different physical server and without a second failover solution that was
the only thing I could think of to try and explain how users ended up at his
servers. Once you hit squid, you are there. If you look for squid and it's
failed, you are stuck, it can't just pass you through anyways. 

Exactly :-)
I think your mentioned "second failover" would be the solution. Two 
squid boxes either with a load balancer(s) or a cluster software should 
do the trick, but the ultimate goal would be to eliminate all single 
point of failures. Internet connection, firewall, reverse proxy, 
webserver, databases On the other hand HA systems are more complex 
and may fail to switch over if the time has come.

A simpler approach would be to make every box as reliable as possible.
Decent hardware, a hardened setup, a good monitoring, a standby server 
and an operator in stand-by (hope I found the right word for this :-).
There is no use to build an HA system on crappy hardware...

As for squid I think it can run ages without any problem, I have never 
seen squid itself crashing on its own, it was always my fault - e.g. 
misconfiguration.

Regards, Hendrik Voigtländer

RE: [squid-users] Bypass Squid

[Brad Taylor]

What about something like this?

#!/bin/sh
while [ 1 ]; do
TEST_SQUID=`netstat -a | grep -c https
if [ "$TEST_SQUID" -gt 0 ]; then
something here that starts forwarding https (iptables or
xinetd)? 
fi
sleep 60
done


and other 

#!/bin/sh
while [ 1 ]; do
TEST_SQUID=`netstat -a | grep -c :httpd
if [ "$TEST_SQUID" -gt 2 ]; then
something here that starts forwarding https (iptables or
xinetd)?
fi
sleep 60
done


I think I would also need a way of combining these into one.




-Original Message-
From: Hendrik Voigtländer [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, September 14, 2004 2:01 PM
To: Chris Perreault
Cc: [EMAIL PROTECTED]
Subject: Re: [squid-users] Bypass Squid

Chris Perreault wrote:
> I agree...and assummed he knew this too. He wanted users to end up at
a
> different physical server and without a second failover solution that
was
> the only thing I could think of to try and explain how users ended up
at his
> servers. Once you hit squid, you are there. If you look for squid and
it's
> failed, you are stuck, it can't just pass you through anyways. 
> 
Exactly :-)

I think your mentioned "second failover" would be the solution. Two 
squid boxes either with a load balancer(s) or a cluster software should 
do the trick, but the ultimate goal would be to eliminate all single 
point of failures. Internet connection, firewall, reverse proxy, 
webserver, databases On the other hand HA systems are more complex 
and may fail to switch over if the time has come.

A simpler approach would be to make every box as reliable as possible.
Decent hardware, a hardened setup, a good monitoring, a standby server 
and an operator in stand-by (hope I found the right word for this :-).
There is no use to build an HA system on crappy hardware...

As for squid I think it can run ages without any problem, I have never 
seen squid itself crashing on its own, it was always my fault - e.g. 
misconfiguration.

Regards, Hendrik Voigtländer

[squid-users] bypass proxy query

[simon benedict]

Hi all,

I have been using squid proxy for last couple of
months and is workin grt.
but recently I had to implement internet access time
for certain clients

the exact scenario is like this

I have 4  networks using my squid proxy server

172.16.2.0 network

172.16.3.0 , 172.16.4.0 and 172.16.5.0 network


the 172.16.2.0 network users are allowed for full time
usage but the 172.16.3.0, 172.16.4.0 and 172.16.5.0
network users are allowed to use the proxy for
internet only from 7 am to 10 am which is working
perfectly fine

now we have internal webservers which are in domain
called mydomain.com have to be accessed all the time.
But after 10 am these local sites are not accessable
until and unless every client browser has bypass proxy
option checked in their respective browser mentioning
the host names names .

Now is there a way to access the local sites after the
time is over and without having the clients check the
bypass proxy option.
I tried to use the always_direct tag but it dosent
work.

Apprecite if someone can let me know with an example


thanks and regards

Benedict




__
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

RE: [squid-users] bypass squid

[Elsen Marc]

 
> 
> Dear Group,
> 
> I've a problem about transparent proxy using squid but it is 
> not squid 
> problem
> I've a stock trading program that communicate with it's 
> server by port 
> 80 before
> traffic redirected to squid this program work well but after it's 
> redirected the program
> can not login and get any data. I've discover the problem and 
> find that 
> this program
> use ftp protocol instead of http on port 80. Is there a way to bypass 
> this traffic to
> origin server directly ?
> 

 Bypassing needs to be done at the device which redirects traffic
 to squid.
 Once SQUID receives a request, squid has to deal with it (by definition).

 M.

Re: [squid-users] bypass squid

[Kinkie]

On Thu, 2005-01-06 at 14:40 +0700, Nont Banditwong wrote:
> Dear Group,
> 
> I've a problem about transparent proxy using squid but it is not squid 
> problem
> I've a stock trading program that communicate with it's server by port 
> 80 before
> traffic redirected to squid this program work well but after it's 
> redirected the program
> can not login and get any data. I've discover the problem and find that 
> this program
> use ftp protocol instead of http on port 80. Is there a way to bypass 
> this traffic to
> origin server directly ?

What OS are you running?

Kinkie

Re: [squid-users] bypass certain IP

[Henrik Nordstrom]

lör 2009-10-10 klockan 18:43 +0300 skrev Said Jaffer:
> Hello,
> 
> I have a Centos configured as bridge, squid running in transparent mode, 
> tproxy.
> 
> I would like to exclude few IP from not being redirected, as few
> routers are getting spoofing errors.
> 
> the below rule is running,
> 
> iptables -t tproxy -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
> TPROXY --on-port 3128
> 
> what iptables rules do i need to bypass certain IPS from redirections.

You need to add an ACCEPT rule in the same table & chain before this.

Regards
Henrik

Re: [squid-users] bypass certain IP

[Amos Jeffries]

Said Jaffer wrote:

Hello,

I have a Centos configured as bridge, squid running in transparent mode, tproxy.

I would like to exclude few IP from not being redirected, as few
routers are getting spoofing errors.

the below rule is running,

iptables -t tproxy -A PREROUTING -i br0 -p tcp -m tcp --dport 80 -j
TPROXY --on-port 3128


That is only one of 6 rules needed for TPROXY to work reliably. Check 
that you have DIVERT ones...




what iptables rules do i need to bypass certain IPS from redirections.


Many thanks.


Spoofing errors?
 - in that the routers are doing something (ie NAT) and the spoofing 
goes triangular and hangs?

 - or that Squid reports 'cannot bind' for certain IP consistently?

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
  Current Beta Squid 3.1.0.14

Re: [squid-users] Bypass ICAP somehow?

[Kinkie]

On Wed, Feb 9, 2011 at 9:08 AM, Ralf Hildebrandt
 wrote:
> Can I selectively bypass the use of ICAP (we're using c-icap) for certain
> * client IPs
> * destination URLs
> * destination IPs

You can check http://www.squid-cache.org/Doc/config/icap_access/ out.



-- 
    /kinkie

Re: [squid-users] Bypass ICAP somehow?

[Ralf Hildebrandt]

* Kinkie :
> On Wed, Feb 9, 2011 at 9:08 AM, Ralf Hildebrandt
>  wrote:
> > Can I selectively bypass the use of ICAP (we're using c-icap) for certain
> > * client IPs
> > * destination URLs
> > * destination IPs
> 
> You can check http://www.squid-cache.org/Doc/config/icap_access/ out.

Thanks. Stupid me. I'm now using:

acl cornils src 141.42.x.y
adaptation_access service_req deny  cornils
adaptation_access service_req allow all

adaptation_access service_resp deny  cornils
adaptation_access service_resp allow all

Does that look about right?

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: [squid-users] Bypass ICAP somehow?

[Helmut Hullen]

Hallo, Kinkie,

Du meintest am 09.02.11:

>> Can I selectively bypass the use of ICAP (we're using c-icap) for
>> certain * client IPs
>> * destination URLs
>> * destination IPs

> You can check http://www.squid-cache.org/Doc/config/icap_access/ out.

   "This option is deprecated. Please use adaptation_access,"



Viele Gruesse!
Helmut

Re: [squid-users] Bypass ICAP somehow?

[Ralf Hildebrandt]

* Ralf Hildebrandt :

> Thanks. Stupid me. I'm now using:
> 
> acl cornils src 141.42.x.y
> adaptation_access service_req deny  cornils
> adaptation_access service_req allow all
> 
> adaptation_access service_resp deny  cornils
> adaptation_access service_resp allow all
> 
> Does that look about right?

It's working :)

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: [squid-users] bypass squid cache

[Amos Jeffries]

simon benedict wrote:

Dear All,

i have been using squid on Red hat linux for a long
time and its workin perfectly fine

recently we changed our ISP and we found that our
users on private IP's were not able to sign in with
YAHOO MESSANGER OR WINDOWS MESSANGER.

when contacted the ISP it was told that we have to
bypass the squid cache and probably it may work


Unless you recently added the proxy it should be working exactly as it 
was before the ISP change.


Do you have any more details on this that might give us a better idea of 
your situation and problem?

Which version of squid?
Are your users configured to explicitly use the proxy?
... or transparently intercepted?
Are you sure the IM are even using the proxy? most actually don't 
without going to some trouble to make them.


Thanks




i tried googling but was not very sucessful..

apprecite if anyone can advise n let me know if i
could bypass squid cache for YAHOO MESSANGER and
WINDOWS MESSNAGER for my private ip users

but all the browsing works perfect

Really appreciate your help


regards

simon



Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

RE: [squid-users] bypass squid cache

[Nikolas]

Dear Simon,

How was your network topology? 
Does all connection through proxy first or router box first? 
Try caching only for port 80 (http), and bypass the others.
Maybe a glance on your squid.conf might help us understanding your
problem.

Regards,
Nikolas
-Original Message-
From: simon benedict [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, January 16, 2008 1:48 PM
To: squid-users@squid-cache.org
Subject: [squid-users] bypass squid cache

Dear All,

i have been using squid on Red hat linux for a long
time and its workin perfectly fine

recently we changed our ISP and we found that our
users on private IP's were not able to sign in with
YAHOO MESSANGER OR WINDOWS MESSANGER.

when contacted the ISP it was told that we have to
bypass the squid cache and probably it may work


i tried googling but was not very sucessful..

apprecite if anyone can advise n let me know if i
could bypass squid cache for YAHOO MESSANGER and
WINDOWS MESSNAGER for my private ip users

but all the browsing works perfect

Really appreciate your help


regards

simon



 


Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping

Re: [squid-users] bypass squid cache

[nima sadeghian]

Dear simon. I think the problem is in ur ISP:
1- do they cache transparently or by hardware the bandwidth? It may cause this.
2- do they have tcp filtering rulls on their switch or router wich u
get bandwitdth?
3- ask about it from them, I think you donot recieve Virgine!! bandwidth;)
nima

On 1/16/08, simon benedict <[EMAIL PROTECTED]> wrote:
> Dear All,
>
> i have been using squid on Red hat linux for a long
> time and its workin perfectly fine
>
> recently we changed our ISP and we found that our
> users on private IP's were not able to sign in with
> YAHOO MESSANGER OR WINDOWS MESSANGER.
>
> when contacted the ISP it was told that we have to
> bypass the squid cache and probably it may work
>
>
> i tried googling but was not very sucessful..
>
> apprecite if anyone can advise n let me know if i
> could bypass squid cache for YAHOO MESSANGER and
> WINDOWS MESSNAGER for my private ip users
>
> but all the browsing works perfect
>
> Really appreciate your help
>
>
> regards
>
> simon
>
>
>
>
> 
> Looking for last minute shopping deals?
> Find them fast with Yahoo! Search.
> http://tools.search.yahoo.com/newsearch/category.php?category=shopping
>


-- 
Best Regards
Nima Sadeghian

Re: [squid-users] bypass urls - wccp

[Adrian Chadd]

There's no way to do that right now - you have to put in IPs in an ACL
on the router to bypass.

Bypassing isn't actually all that hard, especially if you're running TPROXY.
Someone just needs to sit down and code it up.

(I'm open to discussions with interested parties if a group of people would
like to sponsor the month-odd time it'd take for me to implement this in -2.)



Adrian


On Wed, Feb 27, 2008, Alexandre Correa wrote:
> Hello,
> 
> How to tell wccp to no redirect some urls to proxy ?
> 
> -- 
> 
> Sds.
> Alexandre J. Correa
> Onda Internet / OPinguim.net
> http://www.ondainternet.com.br
> http://www.opinguim.net

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

Re: [squid-users] BYPASS UPON FAILURE

[Amos Jeffries]

Sadiq Walji wrote:

Hello,
I am new to squid and we have squid caching running on a server for users
and have a query as follows:

When squid fails, all the users cannot browse and we have to manually stop
squid to bypass it. Is there any way/feature that enables to bypass squid
automatically if and when it fails or has some problems?



Which squid version are you running?

2.6+ restart themselves as best they can after fatal but temporary errors.

If you are having a problem that is so fatal squid dies long-term that 
problem needs to be found and fixed.



Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

Re: [squid-users] BYPASS UPON FAILURE

[K K]

On 3/22/08, Sadiq Walji <[EMAIL PROTECTED]> wrote:
> When squid fails, all the users cannot browse and we have to manually stop
> squid to bypass it. Is there any way/feature that enables to bypass squid
> automatically if and when it fails or has some problems?

Yes, use a PAC (Proxy Automatic Configuration) set in the browser.

 http://wiki.squid-cache.org/Technology/ProxyPac

The PAC script instructs the browser wat explicit (non-transparent)
proxy or proxies to use, and can fall back to DIRECT.  For
Windows/MSIE the setting can be done automatically by WPAD, DHCP, or
GPO.  For non-microsoft, this needs to be configured manually on each
client.

PAC is supported in all modern graphical browsers.

Kevin

Re: [squid-users] BYPASS UPON FAILURE

[Tim Bates]

K K wrote:

For
Windows/MSIE the setting can be done automatically by WPAD, DHCP, or
GPO.  For non-microsoft, this needs to be configured manually on each
client.
  
For non-MS browsers you can often still use WPAD (Firefox on Linux for 
example can do that still).
You can also get a modified version of Firefox (made by FrontMotion) 
that supports GPO for certain settings.


TB

Re: [squid-users] BYPASS UPON FAILURE

[Amos Jeffries]

Tim Bates wrote:

K K wrote:

For
Windows/MSIE the setting can be done automatically by WPAD, DHCP, or
GPO.  For non-microsoft, this needs to be configured manually on each
client.
  
For non-MS browsers you can often still use WPAD (Firefox on Linux for 
example can do that still).
You can also get a modified version of Firefox (made by FrontMotion) 
that supports GPO for certain settings.


TB


The only real trouble with WPAD is that it has never been formally 
standardised.

 Microsoft products use only the 'obsolete' DHCP methods of WPAD.
 Linux/Mac/*BSD products use the easier but non-official DNS methods of 
WPAD.


So you need to configure both methods for it to work properly on the 
network for all clients.


Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

Re: [squid-users] BYPASS UPON FAILURE

[ian j hart]

On Sunday 23 March 2008 11:12:22 Amos Jeffries wrote:
> Tim Bates wrote:
> > K K wrote:
> >> For
> >> Windows/MSIE the setting can be done automatically by WPAD, DHCP, or
> >> GPO.  For non-microsoft, this needs to be configured manually on each
> >> client.
> >
> > For non-MS browsers you can often still use WPAD (Firefox on Linux for
> > example can do that still).
> > You can also get a modified version of Firefox (made by FrontMotion)
> > that supports GPO for certain settings.
> >
> > TB
>
> The only real trouble with WPAD is that it has never been formally
> standardised.
>   Microsoft products use only the 'obsolete' DHCP methods of WPAD.

Are you sure about this?

IIRC I'm using only DNS. Which is clunky, but it works. (XP)

>   Linux/Mac/*BSD products use the easier but non-official DNS methods of
> WPAD.
>
> So you need to configure both methods for it to work properly on the
> network for all clients.
>
> Amos



-- 
ian j hart

Re: [squid-users] BYPASS UPON FAILURE

[Amos Jeffries]

ian j hart wrote:

On Sunday 23 March 2008 11:12:22 Amos Jeffries wrote:

Tim Bates wrote:

K K wrote:

For
Windows/MSIE the setting can be done automatically by WPAD, DHCP, or
GPO.  For non-microsoft, this needs to be configured manually on each
client.

For non-MS browsers you can often still use WPAD (Firefox on Linux for
example can do that still).
You can also get a modified version of Firefox (made by FrontMotion)
that supports GPO for certain settings.

TB

The only real trouble with WPAD is that it has never been formally
standardised.
  Microsoft products use only the 'obsolete' DHCP methods of WPAD.


Are you sure about this?

IIRC I'm using only DNS. Which is clunky, but it works. (XP)


I'm not 100% on anything to do with WPAD, despite a few months 
experimenting with it and various setups.


I last tried it with XP and 2k running IE 5.5 SP1 and WindowsUpdate 
3-something or MicrosoftUpdate 1-something.


What versions of IE, WindowsUpdate/MicrosoftUpdate have you seen working 
with WPAD-DNS?






  Linux/Mac/*BSD products use the easier but non-official DNS methods of
WPAD.

So you need to configure both methods for it to work properly on the
network for all clients.

Amos




Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.

Re: [squid-users] BYPASS UPON FAILURE

[Joel Jaeggli]

Amos Jeffries wrote:

ian j hart wrote:

On Sunday 23 March 2008 11:12:22 Amos Jeffries wrote:

Tim Bates wrote:

K K wrote:

For
Windows/MSIE the setting can be done automatically by WPAD, DHCP, or
GPO.  For non-microsoft, this needs to be configured manually on each
client.

For non-MS browsers you can often still use WPAD (Firefox on Linux for
example can do that still).
You can also get a modified version of Firefox (made by FrontMotion)
that supports GPO for certain settings.

TB

The only real trouble with WPAD is that it has never been formally
standardised.
  Microsoft products use only the 'obsolete' DHCP methods of WPAD.


Are you sure about this?

IIRC I'm using only DNS. Which is clunky, but it works. (XP)


internet exploder will use dns...

firefox won't without configuration which means effectively half your 
users won't.


The draft expired eons ago (it was expired when I first taught how use 
in a workshop in 1999)


I'm not 100% on anything to do with WPAD, despite a few months 
experimenting with it and various setups.


I last tried it with XP and 2k running IE 5.5 SP1 and WindowsUpdate 
3-something or MicrosoftUpdate 1-something.


What versions of IE, WindowsUpdate/MicrosoftUpdate have you seen working 
with WPAD-DNS?






  Linux/Mac/*BSD products use the easier but non-official DNS methods of
WPAD.

So you need to configure both methods for it to work properly on the
network for all clients.

Amos




Amos

RE: [squid-users] BYPASS UPON FAILURE

[Sadiq Walji]

Thanks very much guys... as I mentioned, I am new to this and will therefore
try it out with a colleague who knows squid well.

Will get back if anything.
Thanks once again.


-Original Message-
From: ian j hart [mailto:[EMAIL PROTECTED] 
Sent: Sunday, March 23, 2008 3:04 PM
To: squid-users@squid-cache.org
Cc: Amos Jeffries
Subject: Re: [squid-users] BYPASS UPON FAILURE

On Sunday 23 March 2008 11:12:22 Amos Jeffries wrote:
> Tim Bates wrote:
> > K K wrote:
> >> For
> >> Windows/MSIE the setting can be done automatically by WPAD, DHCP, or
> >> GPO.  For non-microsoft, this needs to be configured manually on each
> >> client.
> >
> > For non-MS browsers you can often still use WPAD (Firefox on Linux for
> > example can do that still).
> > You can also get a modified version of Firefox (made by FrontMotion)
> > that supports GPO for certain settings.
> >
> > TB
>
> The only real trouble with WPAD is that it has never been formally
> standardised.
>   Microsoft products use only the 'obsolete' DHCP methods of WPAD.

Are you sure about this?

IIRC I'm using only DNS. Which is clunky, but it works. (XP)

>   Linux/Mac/*BSD products use the easier but non-official DNS methods of
> WPAD.
>
> So you need to configure both methods for it to work properly on the
> network for all clients.
>
> Amos



-- 
ian j hart

Re: [squid-users] BYPASS UPON FAILURE

[ian j hart]

On Sunday 23 March 2008 13:28:26 Amos Jeffries wrote:
> ian j hart wrote:
> > On Sunday 23 March 2008 11:12:22 Amos Jeffries wrote:
> >> Tim Bates wrote:
> >>> K K wrote:
>  For
>  Windows/MSIE the setting can be done automatically by WPAD, DHCP, or
>  GPO.  For non-microsoft, this needs to be configured manually on each
>  client.
> >>>
> >>> For non-MS browsers you can often still use WPAD (Firefox on Linux for
> >>> example can do that still).
> >>> You can also get a modified version of Firefox (made by FrontMotion)
> >>> that supports GPO for certain settings.
> >>>
> >>> TB
> >>
> >> The only real trouble with WPAD is that it has never been formally
> >> standardised.
> >>   Microsoft products use only the 'obsolete' DHCP methods of WPAD.
> >
> > Are you sure about this?
> >
> > IIRC I'm using only DNS. Which is clunky, but it works. (XP)
>
> I'm not 100% on anything to do with WPAD, despite a few months
> experimenting with it and various setups.
>
> I last tried it with XP and 2k running IE 5.5 SP1 and WindowsUpdate
> 3-something or MicrosoftUpdate 1-something.
>
> What versions of IE, WindowsUpdate/MicrosoftUpdate have you seen working
> with WPAD-DNS?

Don't have a definitive list but IIRC I've run IE verisions from 4.2? to 6 
this way.

I can tell you that there are a number of ways to get false negatives.

MS seem to break proxy support every time they release a new O/S, O/S service 
pack, version of IE or IE SP. Wait for follow up patches or SUS/WUS/WSUS 
updates before updating.

The client can mark the proxy as "bad" for 30m at time.
http://support.microsoft.com/kb/320507

Turn it off/on can help, i.e.

Close all IE, outlook/OE windows
Open an IE window
Deselect automatically detect... in LAN settings
Close the IE window (optionally reboot)
Open an IE window
Select automatically detect... in LAN settings
Try again.

That's what I mean by clunky.

>
> >>   Linux/Mac/*BSD products use the easier but non-official DNS methods of
> >> WPAD.
> >>
> >> So you need to configure both methods for it to work properly on the
> >> network for all clients.
> >>
> >> Amos
>
> Amos



-- 
ian j hart

Re: [squid-users] BYPASS UPON FAILURE

[ian j hart]

On Monday 24 March 2008 03:05:06 Joel Jaeggli wrote:
> Amos Jeffries wrote:
> > ian j hart wrote:
> >> On Sunday 23 March 2008 11:12:22 Amos Jeffries wrote:
> >>> Tim Bates wrote:
>  K K wrote:
> > For
> > Windows/MSIE the setting can be done automatically by WPAD, DHCP, or
> > GPO.  For non-microsoft, this needs to be configured manually on each
> > client.
> 
>  For non-MS browsers you can often still use WPAD (Firefox on Linux for
>  example can do that still).
>  You can also get a modified version of Firefox (made by FrontMotion)
>  that supports GPO for certain settings.
> 
>  TB
> >>>
> >>> The only real trouble with WPAD is that it has never been formally
> >>> standardised.
> >>>   Microsoft products use only the 'obsolete' DHCP methods of WPAD.
> >>
> >> Are you sure about this?
> >>
> >> IIRC I'm using only DNS. Which is clunky, but it works. (XP)
>
> internet exploder will use dns...
>
> firefox won't without configuration which means effectively half your
> users won't.

Half of your users maybe; not half of mine. My users get IE, like it or not.

This would seem to be a good reason to avoid firefox. Shame.

>
> The draft expired eons ago (it was expired when I first taught how use
> in a workshop in 1999)
>
> > I'm not 100% on anything to do with WPAD, despite a few months
> > experimenting with it and various setups.
> >
> > I last tried it with XP and 2k running IE 5.5 SP1 and WindowsUpdate
> > 3-something or MicrosoftUpdate 1-something.
> >
> > What versions of IE, WindowsUpdate/MicrosoftUpdate have you seen working
> > with WPAD-DNS?
> >
> >>>   Linux/Mac/*BSD products use the easier but non-official DNS methods
> >>> of WPAD.
> >>>
> >>> So you need to configure both methods for it to work properly on the
> >>> network for all clients.
> >>>
> >>> Amos
> >
> > Amos



-- 
ian j hart

[squid-users] Bypass parent for site

[John Halfpenny]

Hi,



We have a site which doesn't like to go through two instances of squid for some 
reason. Is there a way I can bypass a parent for a particular url?



Our setup goes



LAN > Squid[i] > Squid[ii]w/DansGuardian > Net



Ideally, I would like to set Squid[i] to go straight out, ignoring it's parent 
for, say, example.com. Here is the line from Squid[i], anything I can do with 
this?



cache_peer 192.168.3.5 parent 8081 0 no-query default



Thanks for any help! 



John



--junk excite banner convincing NOBODY follows

___
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

Re: [squid-users] bypass proxy query

[Andreas Pettersson]

> now we have internal webservers which are in domain
> called mydomain.com have to be accessed all the time.
> But after 10 am these local sites are not accessable
> until and unless every client browser has bypass proxy
> option checked in their respective browser mentioning
> the host names names .

You have to insert an acl before your 7-10 limit that allows 'your_networks' to surf 
to mydomain.com.

> I tried to use the always_direct tag but it dosent
> work.

always_direct has nothing to do with how the clients talks with the proxy.

/Andreas

Re: [squid-users] bypass proxy query

[Henrik Nordstrom]

On Tue, 28 Sep 2004, simon benedict wrote:
Now is there a way to access the local sites after the
time is over and without having the clients check the
bypass proxy option.
Just allow access to these sites before where you deny access based on 
time..

http_access is an ordered list of rules read top-down. The first rule 
matching the request is used.

Regards
Henrik

Re: [squid-users] bypass proxy query

[simon benedict]

Thanks henrik,

it has worked fine i was having the acl in the wrong
place..

btw I have 2 more local servers which the client
browsers are using host name rather than domain name 
ex. http://km_online and these hosts having private IP
.

also they can use http://ip and get the web page up
and running .

Now since I have put the ip in my squid.conf file its
working fine but as all the users are used to typing
http://hostname and that dows not work but the ip in
the browsers works fine.

basically I am using WINS server to do the host to IP
mapping 

I also tried to make a hosts file in /etc on the linux
machine but it doesnt work.


Now what i want to know is can I make squid to a host
to IP lookup and how ?? .

the dst domain acl is also working fine but as I have
said before I have 3 servers which are not resolved
using a domain but rather a host name


Thanks and regards

Simon







--- Henrik Nordstrom <[EMAIL PROTECTED]> wrote:

> On Tue, 28 Sep 2004, simon benedict wrote:
> 
> > Now is there a way to access the local sites after
> the
> > time is over and without having the clients check
> the
> > bypass proxy option.
> 
> Just allow access to these sites before where you
> deny access based on 
> time..
> 
> http_access is an ordered list of rules read
> top-down. The first rule 
> matching the request is used.
> 
> Regards
> Henrik
> 




___
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

[squid-users] Bypass the ntlm_auth helper

[Koen Stoop]

Hi all,

 

I'm running a test configuration Squid-2.5-STABLE7 on a Linux box, in order
to replace an Squid Proxy Server 2-4 (without authentication) who has been
running now for 5 years without major problems. I've implemented with
success (thx to the info in the FAQs) the ntlm_auth helper who communicates
with our Win2000 domain controller and only handles request from users in a
'AutorizedSquidUsers' group. But now I ran into a problem because an
application we use, tries via a mini-browser to connect to a newspage on a
webserver who requires authorisation. The application itself sends out the
hard-coded authorisation, Squid tries to handle the request but fails
because the user/password pair isn't in the  'AutorizedSquidUsers' group. So
I wonder if there's a way to bypass the auth_helper for certain destination
domains. I've no great expertise in Squid configurations, so any hints to
solve this problem(?) would be very much appreciated.

Koen

[squid-users] bypass domain through squid

[Eswari]

Hi squid users,
 I am running transparent proxy and facing a strange problem that could not
browse hotmail.com through squid. How can I bypass this domain  from squid .

Any help will be highly appreciated.

Kind regards,
eswari

[squid-users] Bypass proxy for one user

[Dayo Adewunmi]

Hi

On our LAN, you can't access the internet without having the proxy settings
in your browser. I've got one user coming in, who's laptop is locked-down,
and unfortunately his browser's set to use no proxy.

How do I configure squid to let him access the internet directly?
Preferrably, without him hogging all the bandwidth. Which wouldn't be an
issue if I could put the proxy settings into his browser, as squid is 
configured

to use delay pools.

Thanks

Dayo

[squid-users] bypass squid filtering using credentials

[Curt Coleman]

I am looking to use squid to content filter public computers.  Currently I
have it setup and running on a few test machines.  When someone attempts to
access a restricted site, I have a custom 'access denied' page that appears.
I would like for this page to contain a field to insert credentials that
would allow bypassing the filtering.  Is this doable?

Thanks in advance.

CC
 

[squid-users] bypass proxy for local addresses

[Shaine]

Hi Friends,

Basically we can do the bypass proxy for local addresses via web browsers.
This is inbuilt functions of certain web browsers. 
Like that, can we bypass some web request which are locally hosted ( In the
same network ) via squid-cache ? I think from any of ACL method we can do
that , anyway i do not have exact idea , can some body help me please ?

Many Thanks
Shaine.   
-- 
View this message in context: 
http://www.nabble.com/bypass-proxy-for-local-addresses-tp18152517p18152517.html
Sent from the Squid - Users mailing list archive at Nabble.com.

[squid-users] Bypass Squid for some sites

[Brett Simpson]

I'm trying to figure out how to bypass Squid for certain sites that don't work 
properly. I am not using a transparent firewall so I have to bypass it on the 
Squid server itself.
Basically I don't want Squid to do anything except send the packets directly to 
the destination system. Doing a always_direct and no_cache doesn't seem to help.
Any ideas on how to do this?

Brett

Re: [squid-users] Bypass parent for site

[Emilio Casbas]

John Halfpenny wrote:


Hi,

We have a site which doesn't like to go through two instances of squid for some 
reason. Is there a way I can bypass a parent for a particular url?

Our setup goes

LAN > Squid[i] > Squid[ii]w/DansGuardian > Net

Ideally, I would like to set Squid[i] to go straight out, ignoring it's parent 
for, say, example.com. Here is the line from Squid[i], anything I can do with 
this?

cache_peer 192.168.3.5 parent 8081 0 no-query default

Thanks for any help! 


John

--junk excite banner convincing NOBODY follows

___
Join Excite! - http://www.excite.com
The most personalized portal on the Web!


 


You can try:

cache_peer 192.168.3.5 parent 8081 0 no-query default
acl example dstdomain example.com
always_direct allow example

Thanks
Emilio C.

Re: [squid-users] Bypass parent for site

[Matus UHLAR - fantomas]

On 14.06 11:43, John Halfpenny wrote:
> We have a site which doesn't like to go through two instances of squid for
> some reason. Is there a way I can bypass a parent for a particular url?
> 
> Our setup goes
> 
> LAN > Squid[i] > Squid[ii]w/DansGuardian > Net
> 
> Ideally, I would like to set Squid[i] to go straight out, ignoring it's
> parent for, say, example.com. Here is the line from Squid[i], anything I
> can do with this?

add the site to an acl and allow always_direct for the acl.

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

Re: [squid-users] Bypass parent for site

[John Halfpenny]

Ah yes, reading up on it that looks just the ticket, Emilio- I'll try it when I 
get the new [i] box installed!



Thanks for your help



John

 --- On Tue 06/14, Emilio Casbas < [EMAIL PROTECTED] > wrote:

From: Emilio Casbas [mailto: [EMAIL PROTECTED]

To: [EMAIL PROTECTED]

 Cc: squid-users@squid-cache.org

Date: Tue, 14 Jun 2005 18:34:51 +0200

Subject: Re: [squid-users] Bypass parent for site



John Halfpenny wrote:>Hi,>>We have a site which doesn't like to 
go through two instances of squid for some reason. Is there a way I can bypass 
a parent for a particular url?>>Our setup goes>>LAN > Squid[i] 
> Squid[ii]w/DansGuardian > Net>>Ideally, I would like to set Squid[i] 
to go straight out, ignoring it's parent for, say, example.com. Here is the 
line from Squid[i], anything I can do with this?>>cache_peer 
192.168.3.5 parent 8081 0 no-query default>>Thanks for any help! 
>>John>>--junk excite banner convincing NOBODY 
follows>>___>Join 
Excite! - http://www.excite.com>The most personalized portal on the 
Web!>>>  >You can try:cache_peer 192.168.3.5 parent 
8081 0 no-query defaultacl example dstdomain example.comalways_direct 
allow exampleThanksEmilio C.

___
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

[squid-users] bypass squid for some sites

[Bill Hughey]

I am running squid on a LRP box. It is running fine as a transparent
proxy. I have a group of internal machines going through it, with a
range of IPs that bypass the proxy using ipchains. Is there a way to
bypass squid for the machines that normally go through squid to reach
certain sites? I have tried acls to allow the sites and always_direct,
but the sites are still much much slower going through the proxy. These
are the chain rules I am using to start:
~
# Redirect to Squid proxy server:
ipchains -A input -p tcp -s 0/0 -d 0/0 8080 -j DENY -i eth0 -l
# Bypass for 192.168.1.8/29 range
ipchains -A input -p tcp -s ! 192.168.1.8/29 -d 0/0 80 -j REDIRECT 8080
~ 
I want to keep the other machines going through the proxy, except let
192.168.1.3 bypass the proxy only to get to sportsonline.com. I’m not
too good with ipchains, can I make another rule to let only this bypass?
Thanks,
Bill

[squid-users] bypass icap for big files

[lopl]

Hi
how can I  bypass icap , for big files?

Best
Pezhman

[squid-users] bypass redirector for some urls

[Deepa D]

Hi All,
   I am using SQUID-2.5STABLE5 and have a requirement
to bypass redirector for a few urls only. Could
someone kindly tell me how to do this asap.
   Regards and TIA,
  Deepa



Yahoo! India Matrimony: Find your life partner online
Go to: http://yahoo.shaadi.com/india-matrimony

Re: [squid-users] Bypass the ntlm_auth helper

[Henrik Nordstrom]

On Mon, 25 Oct 2004, Koen Stoop wrote:
because the user/password pair isn't in the  'AutorizedSquidUsers' group. So
I wonder if there's a way to bypass the auth_helper for certain destination
domains.
Yes, you only need to allow access to these destinations before where you 
require authentication.

Regards
Henrik

[squid-users] Bypass authentication for local urls

[Deepa D]

Hi,
   The squid proxy has been configured to authenticate
using pam_auth.But , I have a requirement where this
authentication has to be bypassed when requests come
for local urls(the pages hosted by our local
webserver).Kindly mail me how to go about doing this.
  Regards and TIA,
 Deepa
 


Yahoo! India Matrimony: Find your partner online.
Go to http://yahoo.shaadi.com

Re: [squid-users] Bypass proxy for one user

[CompuServe]

Dayo Adewunmi:

Hi

On our LAN, you can't access the internet without having the proxy settings
in your browser. I've got one user coming in, who's laptop is locked-down,
and unfortunately his browser's set to use no proxy.

How do I configure squid to let him access the internet directly?
Preferrably, without him hogging all the bandwidth. Which wouldn't be an
issue if I could put the proxy settings into his browser, as squid is 
configured

to use delay pools.



Try google with "iptables + squid transparent proxy".


--
IT Professional Support
ICQ: 566-464-467
Email: compuse...@icqmail.com

Re: [squid-users] Bypass proxy for one user

[Chris Robertson]

Dayo Adewunmi wrote:

Hi

On our LAN, you can't access the internet without having the proxy 
settings
in your browser. I've got one user coming in, who's laptop is 
locked-down,

and unfortunately his browser's set to use no proxy.

How do I configure squid to let him access the internet directly?


You can't.  Squid is not preventing him from accessing the internet; it 
is the facility by which access to the Web is allowed.  Web access is 
being blocked using some other utility, and that utility must be 
identified and reconfigured.



Preferrably, without him hogging all the bandwidth. Which wouldn't be an
issue if I could put the proxy settings into his browser, as squid is 
configured

to use delay pools.

Thanks

Dayo


Chris

[squid-users] Bypass tools that works with squid

[Mr Crack]

Is there any way in squid to bypass some sites that are banned by firewall or
special tools as squid-plug in ...?
Because ISP banned some sites such as GMail
I dont want to use Windows software e.g. YourFreedom, UltraSurf
I want to install as server s/w with squid


Any help is appriciated

Mr. Crack 007

[squid-users] bypass tools that works with squid

[Mr Crack]

Is there any way in squid to bypass some sites that are banned by firewall or
special tools as squid-plug in ...?
Because ISP banned some sites such as GMail
I dont want to use Windows software e.g. YourFreedom, UltraSurf
I want to install as server s/w with squid


Any help is appriciated

Mr. Crack 007

Re: [squid-users] bypass squid filtering using credentials

[Chris Robertson]

Curt Coleman wrote:

I am looking to use squid to content filter public computers.  Currently I
have it setup and running on a few test machines.  When someone attempts to
access a restricted site, I have a custom 'access denied' page that appears.
I would like for this page to contain a field to insert credentials that
would allow bypassing the filtering.  Is this doable?
  


Yes.  Have an external_acl that checks a repository of IPs (be it a flat 
file, a database or a hash in memory) and change the http_access deny 
line that blocks requests to the restricted sites use this acl NANDed 
with the list.  The custom access denied page allows entering 
credentials to bypass the filtering (which updates the mentioned 
repository).


In essence...

acl restrictedSites dstdomain .restricted.com .clearancerequired.com
external_acl_type allow-restricted ttl=5 concurrency=50 %SRC 
/usr/local/squid/bin/restricted-ip-authenticator

acl allowRestrictedIP external allow-restricted
http_access deny restrictedSites !allowRestrictedIP
deny_info http://my.host/enterCredentialsForAccess.html allowRestrictedIP

...where the script /usr/local/squid/bin/restricted-ip-authenticator, 
and the CGI form called by http://my.host/enterCredentialsForAccess.html 
are left as an exercise for the reader.  The session helper included in 
Squid releases later than 2.6 might be a good starting point.



Thanks in advance.

CC


Chris

Re: [squid-users] bypass proxy for local addresses

[Matus UHLAR - fantomas]

On 27.06.08 03:48, Shaine wrote:
> Basically we can do the bypass proxy for local addresses via web browsers.
> This is inbuilt functions of certain web browsers. 
> Like that, can we bypass some web request which are locally hosted ( In the
> same network ) via squid-cache ?

No, because your requests can go either directly (bypass the cache), or via
the cache, not both.

However this function is also a builtin in some (many) browsers.

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol. 

Re: [squid-users] bypass proxy for local addresses

[Angela Williams]

On Friday 27 June 2008, Matus UHLAR - fantomas wrote:
> On 27.06.08 03:48, Shaine wrote:
> > Basically we can do the bypass proxy for local addresses via web
> > browsers. This is inbuilt functions of certain web browsers.
> > Like that, can we bypass some web request which are locally hosted ( In
> > the same network ) via squid-cache ?
>
> No, because your requests can go either directly (bypass the cache), or via
> the cache, not both.
>
> However this function is also a builtin in some (many) browsers.

Or you can use a proxy autoconfig script served up by an apache webserver!
Just needs java scripting enabled on the clients and it solved all my issues 
with 2 internal networks and many customer networks and a plethora of squid 
servers on different internet connections! There is even a simple perl based 
pac file tester available called pactester that solved the last few issues I 
had!

Cheers
Ang

-- 
Angela Williams Enterprise Outsourcing
Unix/Linux & Cisco spoken here! Bedfordview
[EMAIL PROTECTED]   Gauteng South Africa

Smile!! Jesus Loves You!!

RE: [squid-users] bypass proxy for local addresses

[Steven Sporen]

> However this function is also a builtin in some (many) browsers.

Or you can use a proxy autoconfig script served up by an apache
webserver!
Just needs java scripting enabled on the clients and it solved all my
issues 
with 2 internal networks and many customer networks and a plethora of
squid 
servers on different internet connections! There is even a simple perl
based 
pac file tester available called pactester that solved the last few
issues I 
had!


Be warned that several applications which make use of HTTP for
communication do not support a proxy script. So if you're planning on
only using this method you will run into issues with say Java. However
that said issuing the proxy script via DHCP is a nice clean way of
ensuring it only executes when your users are connected to your network.

Regards
  Steven

Re: [squid-users] bypass proxy for local addresses

[Shaine]

For instance , if squid runs in port 8080 , when a specific url comes into
the squid via port 8080 , before it receives to port 8080 cant we redirect
to a web server , which that url searching?
>From the squid itself cant we find a solutions to have a proxy request by
passing ???





Angierfw wrote:
> 
> On Friday 27 June 2008, Matus UHLAR - fantomas wrote:
>> On 27.06.08 03:48, Shaine wrote:
>> > Basically we can do the bypass proxy for local addresses via web
>> > browsers. This is inbuilt functions of certain web browsers.
>> > Like that, can we bypass some web request which are locally hosted ( In
>> > the same network ) via squid-cache ?
>>
>> No, because your requests can go either directly (bypass the cache), or
>> via
>> the cache, not both.
>>
>> However this function is also a builtin in some (many) browsers.
> 
> Or you can use a proxy autoconfig script served up by an apache webserver!
> Just needs java scripting enabled on the clients and it solved all my
> issues 
> with 2 internal networks and many customer networks and a plethora of
> squid 
> servers on different internet connections! There is even a simple perl
> based 
> pac file tester available called pactester that solved the last few issues
> I 
> had!
> 
> Cheers
> Ang
> 
> -- 
> Angela Williams   Enterprise Outsourcing
> Unix/Linux & Cisco spoken here!   Bedfordview
> [EMAIL PROTECTED] Gauteng South Africa
> 
> Smile!! Jesus Loves You!!
> 
> 
> 
> -
> Angie
> Linux/Unix/Cisco Hacker
> South Africa
> 

-- 
View this message in context: 
http://www.nabble.com/bypass-proxy-for-local-addresses-tp18152517p18156636.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Re: [squid-users] bypass proxy for local addresses

[Amos Jeffries]

Shaine wrote:

For instance , if squid runs in port 8080 , when a specific url comes into
the squid via port 8080 , before it receives to port 8080 cant we redirect
to a web server , which that url searching?


Not without receiving it. Hmm, here is a little scenario...

Given two security-sealed envelopes, both addressed from the same source 
to you. One has a bill for a million dollars in it and the other has a 
cheque for same.


  Now, without opening or even seeing either of them, tell your mailman 
to deliver the one with a cheque to your bank and the one with the bill 
to your accountant.


What you are asking Squid to do is exactly the same. By the time the 
envelope (packet) is opened the mailman refuses to send it again without 
you paying for re-enveloping and re-postage.


What you have to do is get the sender (client browser) to address both 
to the right places at the very start.


Thats what WPAD/PAC does.

Amos


From the squid itself cant we find a solutions to have a proxy request by
passing ???





Angierfw wrote:

On Friday 27 June 2008, Matus UHLAR - fantomas wrote:

On 27.06.08 03:48, Shaine wrote:

Basically we can do the bypass proxy for local addresses via web
browsers. This is inbuilt functions of certain web browsers.
Like that, can we bypass some web request which are locally hosted ( In
the same network ) via squid-cache ?

No, because your requests can go either directly (bypass the cache), or
via
the cache, not both.

However this function is also a builtin in some (many) browsers.

Or you can use a proxy autoconfig script served up by an apache webserver!
Just needs java scripting enabled on the clients and it solved all my
issues 
with 2 internal networks and many customer networks and a plethora of
squid 
servers on different internet connections! There is even a simple perl
based 
pac file tester available called pactester that solved the last few issues
I 
had!


Cheers
Ang

--
Angela Williams Enterprise Outsourcing
Unix/Linux & Cisco spoken here! Bedfordview
[EMAIL PROTECTED]   Gauteng South Africa

Smile!! Jesus Loves You!!



-
Angie
Linux/Unix/Cisco Hacker
South Africa






--
Please use Squid 2.7.STABLE3 or 3.0.STABLE7

Re: [squid-users] bypass proxy for local addresses

[Matus UHLAR - fantomas]

On 27.06.08 07:40, Shaine wrote:
> For instance , if squid runs in port 8080 , when a specific url comes into
> the squid via port 8080 , before it receives to port 8080 cant we redirect
> to a web server , which that url searching?
> From the squid itself cant we find a solutions to have a proxy request by
> passing ???

There is no such think in HTTP protocol that would tell the client, "stop
asking me and go directly". Some browsers even don't know they are using a
proxy (when using interception, often incorrectly called "transparent
proxy").

You just must configure browser when to use proxy and when not to use it.
Either manualy, either via interception, or by using WPAD protocol, as
others already mentioned (and I forgot in my last mail).
-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

Re: [squid-users] bypass proxy for local addresses

[Matus UHLAR - fantomas]

On 28.06.08 18:25, Matus UHLAR - fantomas wrote:
> There is no such think in HTTP protocol

oops, thing ;)
-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.

Re: [squid-users] bypass proxy for local addresses

[Michel]

> On 27.06.08 07:40, Shaine wrote:
>> For instance , if squid runs in port 8080 , when a specific url comes
>> into
>> the squid via port 8080 , before it receives to port 8080 cant we
>> redirect
>> to a web server , which that url searching?
>> From the squid itself cant we find a solutions to have a proxy request
>> by
>> passing ???
>
> There is no such think in HTTP protocol that would tell the client, "stop
> asking me and go directly". Some browsers even don't know they are using a
> proxy (when using interception, often incorrectly called "transparent
> proxy").
>
> You just must configure browser when to use proxy and when not to use it.
> Either manualy, either via interception, or by using WPAD protocol, as
> others already mentioned (and I forgot in my last mail).

in order not to bother with client configurations and browser problems a
good solution (because support free) is a transparent proxy and then you
configure your firewall to skip the fwd rules for the addresses of your
choice

michel

-- 


michel





Tecnologia Internet Matik http://info.matik.com.br
Sistemas Wireless para o Provedor Banda Larga
Hospedagem e Email personalizado - e claro, no Brasil.

Re: [squid-users] bypass proxy for local addresses

[Matus UHLAR - fantomas]

On 29.06.08 10:07, Michel wrote:
> in order not to bother with client configurations and browser problems a
> good solution (because support free) is a transparent proxy and then you
> configure your firewall to skip the fwd rules for the addresses of your
> choice

However since intercepting of connections causes many troubles, It's much
better to configure WPAD properly
-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.

Re: [squid-users] bypass proxy for local addresses

[Michel]

> On 29.06.08 10:07, Michel wrote:
>> in order not to bother with client configurations and browser problems a
>> good solution (because support free) is a transparent proxy and then you
>> configure your firewall to skip the fwd rules for the addresses of your
>> choice
>
> However since intercepting of connections causes many troubles, It's much
> better to configure WPAD properly


well, I do not know about such problems, may be you should analise each of
it and configure things properly, in my experience most of common
interception problems are caused by wrong network settings or such
ping-pong-setups like router sending traffic back or gateway forwards to
external proxy




michel

[squid-users] bypass squid for second address range

[greylake]

hello

lan_one|-|gateway|-|lan_two
   | |
squidbox |
(member of lan_one)  |
 |
  (world)





question 1.

at the moment traffic from BOTH lans seems to be prerouted to the squid
box
but i want lan_two traffic to bypass the squidbox and go direct ( for
now...)

i'm sure its iptables syntax but i cant seem to get it to work 
any advice or examples greatly appreciated 



-snip

drop  lan_one  -  force them to use the squid box
$IPTABLES -A INPUT -i $NIC_ONE -s ! $SQUIDBOX -p tcp --dport 80 -j DROP

$IPTABLES -A INPUT -i $NIC_TWO -s $LAN_TWO -d 0/0 -p tcp --dport 80 -j
ACCEPT


$IPTABLES -A PREROUTING -t nat -i $NIC_ONE -s ! $SQUIDBOX -p tcp --dport
80 -j DNAT --to-destination $SQUIDBOX:3128
$IPTABLES -A POSTROUTING -t nat -o $NIC_ONE -s $LAN_ONE -d $SQUIDBOX -j
SNAT --to-source $GATEWAY
$IPTABLES -A FORWARD -s $LAN_ONE -d $SQUIDBOX -i $NIC_ONE -o $NIC_ONE -p
tcp --dport 3128 -j ACCEPT

#  lan_one to world 

$IPTABLES -A lan-world  -s $SQUIDBOX -p tcp --dport 80 -j ACCEPT
$IPTABLES -A lan-world  -p tcp  --dport 22 -j  ACCEPT
$IPTABLES -A lan-world  -p tcp  --dport 664 -j ACCEPT
$IPTABLES -A lan-world  -p tcp  --dport 995 -j ACCEPT
$IPTABLES -A lan-world  -p tcp  --dport 465 -j ACCEPT
 etc etc

# lan_two to world  ... simple for now

$IPTABLES -A lan-fax  -p tcp  -j ACCEPT
$IPTABLES -A lan-fax  -p udp  -j ACCEPT
$IPTABLES -A lan-fax  -p icmp  -j ACCEPT
$IPTABLES -A lan-fax  -j DROP

$IPTABLES -A FORWARD -i $NIC_ONE -o $WORLD -s $LAN_ONE -j lan-world
$IPTABLES -A FORWARD -i $NIC_TWO -o $WORLD -s $LAN_TWO -j fax-world

-





question 2. 

if both lans do use the cache ( with a tighter iptables in place ) is it
possible to cache but not log lan_two traffic ?

thanks in advance 

greylake

[squid-users] Bypass Proxy for large file downloads

[Cody Webb]

Hello,

I would like to provide content filtering for members our my 
congregation.  My content filter utilizes squid.  I would like to conserve 
bandwidth as much as possible (due to the costs associated with bandwidth 
metering).  Would it be possible for users downloads to bypass the proxy?  This 
way they could get the full speed of their cable/DSL service.  And it would 
keep the monthly bandwidth usage going through the proxy minimal.
 
Thanks,
 
Cody

Re: [squid-users] Bypass Squid for some sites

[Henrik Nordstrom]

On Thu, 5 May 2005, Brett Simpson wrote:
I'm trying to figure out how to bypass Squid for certain sites that 
don't work properly. I am not using a transparent firewall so I have to 
bypass it on the Squid server itself.
You can't. You have to do this in the client config.
PAC scripts is very suitable for this.
Basically I don't want Squid to do anything except send the packets 
directly to the destination system. Doing a always_direct and no_cache 
doesn't seem to help.
This can not be done on a paket level.
As soon as the client has sent the request to the proxy it is too late to 
send it directly to the origin server. All the proxy can do is to detect 
the fact that the request was sent to the proxy, and has two options 
either attempt to forward(proxy) the request or reject the request giving 
an error message to the client.

Regards
Henrik

RE: [squid-users] bypass squid for some sites

[Chris Robertson]

> -Original Message-
> From: Bill Hughey [mailto:[EMAIL PROTECTED]
> Sent: Monday, September 12, 2005 8:04 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] bypass squid for some sites
> 
> 
> I am running squid on a LRP box. It is running fine as a transparent
> proxy. I have a group of internal machines going through it, with a
> range of IPs that bypass the proxy using ipchains. Is there a way to
> bypass squid for the machines that normally go through squid to reach
> certain sites? I have tried acls to allow the sites and always_direct,
> but the sites are still much much slower going through the 
> proxy. 

always_direct only has an effect if you are using parent caches.  Once Squid 
sees the traffic, there is no way for it to not be involved.

> These are the chain rules I am using to start:
> ~
> # Redirect to Squid proxy server:
> ipchains -A input -p tcp -s 0/0 -d 0/0 8080 -j DENY -i eth0 -l
> # Bypass for 192.168.1.8/29 range
> ipchains -A input -p tcp -s ! 192.168.1.8/29 -d 0/0 80 -j 
> REDIRECT 8080
> ~ 
> I want to keep the other machines going through the proxy, except let
> 192.168.1.3 bypass the proxy only to get to sportsonline.com. I'm not
> too good with ipchains, can I make another rule to let only 
> this bypass?
> Thanks,
> Bill
> 

I'm not an ipchains expert, but I think that...

ipchains -A input -p tcp -s 192.168.1.3 -d 206.207.85.33 -j ALLOW

...should effectively ignore traffic between that client and that host.  Put 
this rule in front of the "# Bypass for..." rule.

Chris

RE: [squid-users] bypass redirector for some urls

[Elsen Marc]

 
> 
> Hi All,
>I am using SQUID-2.5STABLE5 and have a requirement
> to bypass redirector for a few urls only. Could
> someone kindly tell me how to do this asap.
 
 Check the 'redirector_access' directive in squid.conf.default
 (and comments).

 M.

Re: [squid-users] bypass redirector for some urls

[Henrik Nordstrom]

On Thu, 21 Oct 2004, Deepa D wrote:
  I am using SQUID-2.5STABLE5 and have a requirement
to bypass redirector for a few urls only. Could
someone kindly tell me how to do this asap.
See redirector_access.
Regards
Henrik

RE: [squid-users] bypass redirector for some urls

[Deepa D]

Hi,
   Thanks for the response.
   I am using squid as a transparent non caching proxy
server. I could configure squid.conf to use
redirector_access for dstdomains mentioned in a file
or  mentioning the domain in the config file itself
but I am unable to do the same for url_regex. I am
pasting a sample below :-
   acl nr_urls url_regex ^http://www\.rediff\.com$
   acl nr_urls1 url_regex ^http://www\.yahoo\.com$
   redirector_access deny nr_urls nr_urls1
   
   Could somebody kindly tell me what is wrong with my
configuration - is the url regex pattern wrong? If
yes, kindly mail me a sample.
   Secondly kindly advise as to whether setting the
dstdomains is safer or specifying the url pattern is
better.
   Kindly mail back asap.
   Regards and TIA,
  Deepa


 --- Elsen Marc <[EMAIL PROTECTED]> wrote: 
> 
>  
> > 
> > Hi All,
> >I am using SQUID-2.5STABLE5 and have a
> requirement
> > to bypass redirector for a few urls only. Could
> > someone kindly tell me how to do this asap.
>  
>  Check the 'redirector_access' directive in
> squid.conf.default
>  (and comments).
> 
>  M.
>  


Yahoo! India Matrimony: Find your life partner online
Go to: http://yahoo.shaadi.com/india-matrimony

RE: [squid-users] bypass redirector for some urls

[Henrik Nordstrom]

On Mon, 25 Oct 2004, Deepa D wrote:
Hi,
  Thanks for the response.
  I am using squid as a transparent non caching proxy
server. I could configure squid.conf to use
redirector_access for dstdomains mentioned in a file
or  mentioning the domain in the config file itself
but I am unable to do the same for url_regex. I am
pasting a sample below :-
  acl nr_urls url_regex ^http://www\.rediff\.com$
  acl nr_urls1 url_regex ^http://www\.yahoo\.com$
These two should both be in the same acl.
  redirector_access deny nr_urls nr_urls1
Which can not match as a request for www.rediff.com can not at the same 
time be a request for www.yahoo.com..

acl nr_urls url_regex ^http://www\.rediff\.com$ ^http://www\.yahoo\.com$
redirector_access deny nr_urls
Regards
Henrik