l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
July 21: Defensive computing: Information security for individuals
Next Installfest:
TBD
Latest News:
Jul. 4: July, August and September: Security, Photography and Programming for Kids
Page last updated:
2006 Jan 26 23:51

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] Re: Need to bypass Squid proxy
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] Re: Need to bypass Squid proxy



How is this transparent proxy hooked up?  Does it also do the routing,
or does another box do this?  Somewhere in your traffic flow it must
be redirected to the transparent proxy (unless you're doing
transparent bridging proxying, but you should be able to remedy that
in a similar fashion).  If it's a Linux router, create an iptables
rule that will not redirect the packets to the transparent proxy if
it's coming from and going to your internal network.  If it's not
Linux, there still should be a way to accomplish the same goal, but
I'm not sure if this list would be useful in that case.

--Seth

On 1/26/06, Micah J. Cowan <micah@cowan.name> wrote:
> On Thu, Jan 26, 2006 at 01:38:54PM -0800, Ehrhart, Jay wrote:
> > I don't think I made what I want to accomplish clear.
> >
> > I am at a county office of Education.  By law all web traffic to the
> > real Internet must be filtered.  I have a Red Hat Linux server running
> > N2H2 web filtering.  It is a transparent proxy.  All traffic goes
> > through the proxy filter and there is no way around it.
> >
> > I have an internal web server that is only for the schools and is not
> > publicly accessible.  The proxy server does its job and sends the
> > traffic out where it dies on the outside of my publicly facing firewall.
> > I want to bypass the proxy with squid or iptables so that the private
> > sites can reach the private web site.
>
> I realize this. The message you're responding to was
> something of a tangent.
>
> So, it is a transparent proxy, and editing your Connection Settings
> won't work. Any changes made must be done at the proxy server, or at a
> routing level.
>
> First off: as things currently stand, does traffic directed at the
> private web server actually get there (though redirected from the proxy
> server)? If not, then you need to make sure that the proxy knows how to
> direct traffic there.
>
> Now, if things are getting to the private web server, but always show
> the IP address from the proxy server, there's a couple options. The
> easiest, if you are able to make the appropriate adjustments at the web
> server, is to comprehend and correctly interpret the HTTP
> X-Forwarded-From (non-standard) header that your proxy should be
> emitting.
>
> Another option is to configure the proxy server to directly forward
> IP packets to the internal web server, virtually unchanged (that is,
> with the original source IP address intact). If you're not using Linux,
> I can't help you there (it may not be possible).
>
> But your best option would be to ensure that the routing tables of the
> machines on your network don't direct intranetwork traffic through the
> proxy. If you're using DHCP, then it's the DHCP server you need to
> configure for this.
>
> HTH,
> Micah
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!