LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 12-04-2006, 02:13 AM   #1
inaki
Member
 
Registered: Mar 2005
Posts: 94

Rep: Reputation: 15
Bypass proxy


Hi all,
In our infrastruture, we use proxy to browse to the internet and also our intranet system. But we having a problem where one of the web application cannot run properly behind of the proxy.
Did anybody knows on how to set the squid and ISA proxy to bypass when the client browse to that server.
 
Old 12-04-2006, 02:54 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
bypass what? by the time that a proxy has recieved a request from a client, it's a bit late to not ask the proxy for it isn't it?? if you mean to stop squid requesting upstream to ISA then check the always_direct option, which will allow certain sites to be directly connected to and not go to a parent proxy.

you may also wish to look into a proxy.pac file which can tell the client not to go to a proxy in the first place for certain url's.
 
Old 12-04-2006, 07:31 AM   #3
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Rep: Reputation: 31
You may consult also your squid logs to check for a TCP_DENIED message that associates to sites being accessed. It happened to one of my clients that connects to their webmail on port 8443 and I simply added that port in squid.conf's

acl SSL_ports port 443 563 8443

By looking interactively in your squid's access.log, you can pinpoint that while a clinet is trying to connect to the site in subject. Adjust the path according to your distro.

# tail -f /var/squid/logs/access.log |grep a.client.ip.add

Squid has a minimum configuration for this:

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 445 # I added this one for Windows update
acl CONNECT method CONNECT

I don't know how it is done in ISA.
 
Old 12-05-2006, 01:55 AM   #4
inaki
Member
 
Registered: Mar 2005
Posts: 94

Original Poster
Rep: Reputation: 15
What i meant is in my network i've used the proxy to browse the internet and intranet system, but in some cases, i need to go direct access to one of my inranet server www.mylocalserver.int. It is hard to configure client browser to bypass proxy, so that is there any possibility to configure my proxy to enable direct access for www.mylocalserver.int.
 
Old 12-05-2006, 03:46 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
i think you're missing something here... how can you possibly "bypass" a proxy when your using it??? doesn't make sense mate.
 
Old 12-05-2006, 08:39 AM   #6
sarin
Member
 
Registered: May 2001
Location: India, Kerala, Thrissur
Distribution: FC 7-10
Posts: 354
Blog Entries: 2

Rep: Reputation: 34
My knowledge of such things are very limited and rusty.... However I feel that you may try transparent proxy and iptables.

The rule at your gw should be
1. Allow requests to local servers to pass through
2. Redirect requests to external servers to your squid

Can someone correct me if I am wrong or provide more info?

--Sarin
 
Old 12-05-2006, 10:11 AM   #7
gani
Member
 
Registered: Jun 2004
Location: Metro Manila, Philippines
Distribution: OpenBSD, Slackware, XP
Posts: 347

Rep: Reputation: 31
When we are in trouble, let us not always forget to consult the logs, it has the hints to address the problem.

Squid, as far as I know, does not by default blocks http access unless you defined something to block certain sites or if your web app is connecting via a port like

http://server.domain.com:PORT#/

and that port was not included in its default configurations of safely allowed ports.

acl Safe_port port PORT#

If you are also running another layer of proxy behind squid that handles application filtering like a content filter with file extensions blocking, this could cause your problem and you will need to consult its manual.

But if still your webapp is really in trouble when behind any http proxy, this suggestion is not practical considering and can only become your last option if only very few of your users needing frequent access to that webapp.

1. Add another NIC in your firewall box.
2. Don't bind squid on this NIC's IP. Assign to this your next network IP block.
3. Don't port forward outgoing http traffic from this network block to squid port.
4. Give this a separate switch/hub and therefore a separate network. This is almost like a DMZ.
5. If you have a good structured cabling installed with Patch panels, simply switch your clients' patch plugs to this switch/hub and this would force yo to separate your users accessing your webapp.
6. Configure your firewall if possible to allow specific traffic (ports & protocols) to traverse between your separated networks that are needed like SMB/Windows/Netbios and others.
 
Old 05-21-2008, 08:33 AM   #8
bucketheadmjs
LQ Newbie
 
Registered: Dec 2006
Posts: 7

Rep: Reputation: 0
I realize I am a little late to the party here but, why can't you simply put your server in the proxy exceptions list in your browser settings? This will allow your browser to bypass the proxy for connections to that server.

Ex:
*.local.domain.name
or
.local.domain.name
 
Old 05-21-2008, 01:02 PM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
yes, very late. please don't drag up dead threads.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
configure squid proxy with microsoft proxy as a parent proxy nintykola Linux - Software 1 08-28-2007 02:38 AM
Using iptables to bypass squid proxy for a specific domain jcopley Linux - Security 3 07-18-2007 01:50 PM
Bypass Proxy Ungluun Linux - Networking 4 03-10-2005 01:42 AM
Bypass proxy hotplainrice Linux - Networking 1 02-26-2005 07:13 AM


All times are GMT -5. The time now is 08:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration