[CentOS] Squid vs. iptables redirection: exception for certain domains ?

Nicolas Kovacs

info at microlinux.fr
Sun Mar 11 10:01:33 UTC 2018


Hi,

I'm currently facing a quite tricky problem. Here goes.

I have setup Squid as a transparent HTTP+HTTPS proxy in my local
network. All web traffic gets handed over to Squid by an iptables script
on the server. Here's the relevant section in /etc/squid/squid.conf:

--8<-------------------------------------------------------------
# Ports du proxy
http_port 3130
http_port 3128 intercept
https_port 3129 intercept ssl-bump \
  cert=/etc/squid/ssl_cert/amandine.sandbox.lan.pem \
  generate-host-certificates=on dynamic_cert_mem_cache_size=4MB
--8<-------------------------------------------------------------

And here's the corresponding section of my firewall script:

--8<-------------------------------------------------------------
# Commandes
IPT=/usr/sbin/iptables
SYS=/usr/sbin/sysctl
SERVICE=/usr/sbin/service

# Internet
IFACE_INET=enp2s0

# Réseau local
IFACE_LAN=virbr0
IFACE_LAN_IP=192.168.2.0/24

# Serveur
SERVER_IP=192.168.2.1

...

# Squid
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT
$IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \
  --dport 80 -j REDIRECT --to-port 3128
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3129 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3129 -j ACCEPT
$IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \
  --dport 443 -j REDIRECT --to-port 3129
$IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3130 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_LAN --dport 3130 -j ACCEPT
--8<-------------------------------------------------------------

This setup works nicely for the vast majority of web sites.

BUT: a handful of sites has some trouble with my local certificate. For
example, I can't sync my local Github repo anymore. Or my local OwnCloud
client spews back a warning message on every startup.

I asked on the Squid mailing list if there was a possibility to create
an exception for a list of domains, so that these can simply bypass the
proxy. The problem is, according to one of the developers, I have to
tackle that problem earlier in the process, e. g. in the firewall setup.

So here's what I want to do, in plain words:

1. Redirect all HTTP traffic (port 80) to port 3128. So far so good.

2. Redirect all HTTPS traffic (port 443) to port 3129. Equally OK.

AND...

3. DO NOT REDIRECT traffic that goes to certain domains, like:

  github.com
  credit-cooperatif.coop
  cloud.microlinux.fr
  squid-cache.org
  etc.

Ideally, these domains should be read from a simple text file.

Any idea how I could do that? I don't even know if this is theoretically
possible.

Cheers,

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Blog : https://blog.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32



More information about the CentOS mailing list