Enhancement #3099

Web proxy: exclude local sites when mode is transparent

Added by Giacomo Sanchietti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.6
Resolution: NEEDINFO:No

Description

If the proxy is configured in transparent mode, all sites are accessed using the proxy but this configuration doesn't have any sense for local sites.

Create a built-in firewall rules to avoid transparent proxy for sites hosted by the firewall itself and accessed from green and blue zones.

Associated revisions

Revision 8eb5fbb5
Added by Giacomo Sanchietti over 6 years ago

Shorewall: bypass local sites. Refs #3099

Revision 60f7115c
Added by Giacomo Sanchietti over 6 years ago

dhclient: execute firewall-adjust on IP change. Refs #3099

History

#1 Updated by Giacomo Sanchietti over 6 years ago

  • Description updated (diff)

#2 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-squid-1.3.2-1.2.g8eb5fbb.ns6.noarch.rpm
  • nethserver-base-2.6.4-1.3.g60f7115.ns6.noarch.rpm
Test case
  • Configure a system with a red interface in dhcp, a green interface and an orang interface
  • Enable squid in transparent mode
  • Try to access an HTTP page hosted inside the firewall itself
  • Check the request is not logged inside /var/log/squid/access.log

You can use following command to check Shorewall chains:

shorewall show nat

#6 Updated by Filippo Carletti over 6 years ago

  • Assignee set to Filippo Carletti

#7 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

After updating packages, the nat rules are correct and trying to access a web page on the firewall I see the rules matching.
Also, squid access.log no longer contains references to the local websites.

#8 Updated by Giacomo Sanchietti over 6 years ago

  • Assignee deleted (Filippo Carletti)

#9 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-squid-1.3.3-1.ns6.noarch.rpm

Also available in: Atom PDF