Hey Nicolas,

If you are running a squid which doesn't have a mandatory rule of "Block first 
and then allow" or what in the security industry will be named "up-tight" then 
Yuri solution is the right path.
But... as a rule of thumb, if you don't need to pass the traffic into the proxy 
software don’t and allow or block whatever you can on the OS firewall level.
I wrote couple example bypass scripts:

For a non router\proxy linux system:

The above examples are good for pre-known domains similar to the script you 
wrote in your blog but it gives some form of dynamics to the firewall rules.
I believe that the best formula is to combine both squid splice with ipset and 
domains resolution and the bypass rules.
Using  squid you will be able to splice domains automatically and with a daily 
log analysis of squid access.log files you might be able to find new domains 
that you can add into your firewall level bypassed domains.

Let me know if it sounds good and it worth a wiki article.

Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: elie...@ngtech.co.il

-----Original Message-----
From: squid-users [mailto:squid-users-boun...@lists.squid-cache.org] On Behalf 
Of Nicolas Kovacs
Sent: Sunday, March 11, 2018 10:07
To: squid-users@lists.squid-cache.org
Subject: [squid-users] Allow some domains to bypass Squid


I have Squid setup as a transparent HTTP+HTTPS proxy in my local
network, using SSL-Bump.

The configuration works quite nicely, according to
/var/log/squid/cache.log and /var/log/squid/access.log.

This being said, I am having trouble with a handful of domains like
Github, or my OwnCloud installation. I have an OwnCloud server installed
at https://cloud.microlinux.fr, and everytime I fire up a client, I have
to confirm the use of an untrusted certificate. And on my workstation, I
can't connect to my Github repository anymore. Here's the error I get.

  # git pull
  fatal: unable to access 'https://github.com/kikinovak/centos-
  7-desktop-kde/': Peer's certificate issuer has been marked as not
  trusted by the user.

So I thought the best thing to do is to create an exception for this
handful of domains with issues.

Can I configure some domains to simply bypass the proxy in my current
(transparent) setup? Ideally, the configuration should be able to read a
simple text file containing said domains, something like
/etc/squid/bypass-these-domains.txt. And then these bypass the proxy and
get treated regularly, as if there was no proxy?


Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : i...@microlinux.fr
Tél. : 04 66 63 10 32
squid-users mailing list

squid-users mailing list

Reply via email to