Feature #2503

Web proxy: bypass rules based on destination and source

Added by Filippo Carletti over 7 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.5
Resolution: NEEDINFO:No

Description

The web proxy bypass should allow to bypass proxying certain destination ip. Useful with some ill written websites.


Related issues

Related to NethServer 6 - Feature #2502: Web proxy bypass needs enable/disable button CLOSED
Related to NethServer 6 - Enhancement #2967: Transparent proxy: switch iplementation from TPROXY to RE... CLOSED

Associated revisions

Revision c4cb7e93
Added by Giacomo Sanchietti over 6 years ago

Web UI: new bypass rules. Refs #2503

Revision 5104be4d
Added by Giacomo Sanchietti over 6 years ago

Firewall config: new bypass rules. Refs #2503

Revision 09d5cb17
Added by Giacomo Sanchietti over 6 years ago

Move proxy bypass to fwrules db. Refs #2503

Revision cfbd3944
Added by Giacomo Sanchietti over 6 years ago

db: add migration fragment for bypas. Refs #2503

Revision e8f92923
Added by Giacomo Sanchietti over 6 years ago

Web UI: handle bypass delete. Refs #2503

Revision 4b94a8bc
Added by Giacomo Sanchietti over 6 years ago

Web UI: minor fixes. Refs #2503

Revision 1fcdbc13
Added by Giacomo Sanchietti over 6 years ago

Web UI: show hosts from dns and dhcp. Refs #2503

Revision 89a66f83
Added by Giacomo Sanchietti over 6 years ago

Inline help: update English and Italian. Refs #2964 #2503

History

#1 Updated by Giacomo Sanchietti over 7 years ago

  • Target version set to ~FUTURE

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from NEW to TRIAGED
  • Target version changed from ~FUTURE to v6.5
  • % Done changed from 0 to 20

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Assignee deleted (Giacomo Sanchietti)

Same considerations of #2502 apply here.

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Related to Feature #2502: Web proxy bypass needs enable/disable button added

#7 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to TRIAGED
  • % Done changed from 30 to 20

#8 Updated by Giacomo Sanchietti over 6 years ago

  • Subject changed from Web proxy bypass destination to Web proxy: bypass rules based on destination and source
The bypass implementation should allow to create rules based on source or destination.
Examples:
  • bad written site should be accessible without proxy from any host
  • the boss computer can access all sites without proxy
New bypass rules should
  • handle a source or destination
  • have a enable/disable option
  • have a description

Both source and destination must be firewall objects, if destination or source is missing it can be evaluated as ANY.

Currently all source-based bypasses are saved inside the Bypass property as comma-separated list of IP address.
To implement above features it's necessary to create a new database containing record of type bypass.

Those new features requires transparent proxy implemented using DNAT (redirect).

#9 Updated by Giacomo Sanchietti over 6 years ago

  • Related to Enhancement #2967: Transparent proxy: switch iplementation from TPROXY to REDIRECT added

#10 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#11 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#12 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-squid-1.2.0-18.0gitcfbd3944.ns6.noarch.rpm
  • nethserver-squid-1.2.0-20.0git1a759fc7.ns6.noarch.rpm
  • nethserver-squid-1.2.0-21.0gite8f92923.ns6.noarch.rpm
Test case 1
  • Enable the proxy in transparent mode
  • Create an host associated to a local PC
  • Create a source bypass using the new host
  • Check the PC can access sites bypassing the proxy
Test case 2
  • Enable the proxy in transparent mode
  • Create an host associated to a remote server
  • Create a destination bypass using the new host
  • Check the PC can access the site bypassing the proxy
Test case 3
  • Upgrade an existing installed machine with a bypass already configured
  • Check the bypass is correctly migrated inside the fwrules database ad source bypass

#13 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Test case 2:

[root@localhost ~]# iptables -t nat -nL loc_dnat
Chain loc_dnat (1 references)
target     prot opt source               destination         
REDIRECT   tcp  --  0.0.0.0/0           !95.138.186.87       tcp dpt:80 /* transparent proxy on green for port 80 */ redir ports 3129 
REDIRECT   tcp  --  0.0.0.0/0           !95.138.186.87       tcp dpt:443 /* transparent proxy on green for port 443 */ redir ports 3130 

Test 3:
# db fwrules show
migr4=bypass-src
    Description=Migrated 192.168.56.4
    Host=host;migr4
    status=enabled

Test 1:
REDIRECT   tcp  -- !192.168.56.4         0.0.0.0/0           tcp dpt:80 /* transparent proxy on green for port 80 */ redir ports 3129

#14 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • squid-3.3.13-1.el6.x86_64.rpm
  • nethserver-squid-1.3.0-1.ns6.noarch.rpm

Also available in: Atom PDF