Feature #2503
Web proxy: bypass rules based on destination and source
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-squid | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | No |
Description
The web proxy bypass should allow to bypass proxying certain destination ip. Useful with some ill written websites.
Related issues
Associated revisions
Web UI: new bypass rules. Refs #2503
Firewall config: new bypass rules. Refs #2503
Move proxy bypass to fwrules db. Refs #2503
db: add migration fragment for bypas. Refs #2503
Web UI: handle bypass delete. Refs #2503
Web UI: minor fixes. Refs #2503
Web UI: show hosts from dns and dhcp. Refs #2503
History
#1 Updated by Giacomo Sanchietti over 7 years ago
- Target version set to ~FUTURE
#3 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from NEW to TRIAGED
- Target version changed from ~FUTURE to v6.5
- % Done changed from 0 to 20
#4 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#5 Updated by Giacomo Sanchietti over 6 years ago
- Assignee deleted (
Giacomo Sanchietti)
Same considerations of #2502 apply here.
#6 Updated by Giacomo Sanchietti over 6 years ago
- Related to Feature #2502: Web proxy bypass needs enable/disable button added
#7 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to TRIAGED
- % Done changed from 30 to 20
#8 Updated by Giacomo Sanchietti over 6 years ago
- Subject changed from Web proxy bypass destination to Web proxy: bypass rules based on destination and source
Examples:
- bad written site should be accessible without proxy from any host
- the boss computer can access all sites without proxy
- handle a source or destination
- have a enable/disable option
- have a description
Both source and destination must be firewall objects, if destination or source is missing it can be evaluated as ANY.
Currently all source-based bypasses are saved inside the Bypass property as comma-separated list of IP address.
To implement above features it's necessary to create a new database containing record of type bypass.
Those new features requires transparent proxy implemented using DNAT (redirect).
#9 Updated by Giacomo Sanchietti over 6 years ago
- Related to Enhancement #2967: Transparent proxy: switch iplementation from TPROXY to REDIRECT added
#10 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#11 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#12 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
nethserver-squid-1.2.0-18.0gitcfbd3944.ns6.noarch.rpmnethserver-squid-1.2.0-20.0git1a759fc7.ns6.noarch.rpm- nethserver-squid-1.2.0-21.0gite8f92923.ns6.noarch.rpm
- Enable the proxy in transparent mode
- Create an host associated to a local PC
- Create a source bypass using the new host
- Check the PC can access sites bypassing the proxy
- Enable the proxy in transparent mode
- Create an host associated to a remote server
- Create a destination bypass using the new host
- Check the PC can access the site bypassing the proxy
- Upgrade an existing installed machine with a bypass already configured
- Check the bypass is correctly migrated inside the
fwrules
database ad source bypass
#13 Updated by Filippo Carletti over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Test case 2:
[root@localhost ~]# iptables -t nat -nL loc_dnat Chain loc_dnat (1 references) target prot opt source destination REDIRECT tcp -- 0.0.0.0/0 !95.138.186.87 tcp dpt:80 /* transparent proxy on green for port 80 */ redir ports 3129 REDIRECT tcp -- 0.0.0.0/0 !95.138.186.87 tcp dpt:443 /* transparent proxy on green for port 443 */ redir ports 3130
Test 3:
# db fwrules show migr4=bypass-src Description=Migrated 192.168.56.4 Host=host;migr4 status=enabled
Test 1:
REDIRECT tcp -- !192.168.56.4 0.0.0.0/0 tcp dpt:80 /* transparent proxy on green for port 80 */ redir ports 3129
#14 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- squid-3.3.13-1.el6.x86_64.rpm
- nethserver-squid-1.3.0-1.ns6.noarch.rpm