0

I'm running a Squid proxy and want to exclude a certain web address that is accessed over a non-standard port from going through the proxy, rather than open the port in an ACL within squid.conf (seems its a specific usage case).

In my case the port in question TCP 2222 (DirectAdmin) over both http:// and https://. I wasn't sure if this was actually possible to do without opening the port itself, but I did find several articles about bypassing URL's with non standard ports with PAC/WPAD. I've tried a ruleset like the one below, which sets a wildcard for the TLD and specific rules for the non-standard port URL.

 if (shExpMatch(host, "*.somedomain.com") ||
     shExpMatch(url, "http://example.somedomain.com:2222/*") ||
     shExpMatch(url, "https://example.somedomain.com:2222/*"))
     return "DIRECT";

Using pactester, I am getting the correct response of DIRECT from a rule test

pactester -p /path/to/wpad.dat -u http://example.somedomain.com
DIRECT
pactester -p /path/to/wpad.dat -u http://example.somedomain.com:2222
DIRECT
pactester -p /path/to/wpad.dat -u https://example.somedomain.com:2222
DIRECT

However it appears the request is still being sent through the proxy as I get "Proxy is refusing connections" etc in a web browser. The port itself is not blocked, I can telnet to it, but the Sqiud ACL doesn't have the port allowed. Though this is what I am trying to avoid doing, and surely the DIRECT response means bypass?

Is this actually possible to achieve with a PAC/WPAD with non-standard ports, or their an alternative way to bypass and send directly for this specific case?

James White
  • 654
  • 3
  • 17
  • 32
  • Check if the :2222 website is doing any redirects to another hostname/URL or directly to an IP address. I do know DirectAdmin does change it to an IP address is some situations. Either case would end up trying to go through the proxy. Ex: http://www.directadmin.com/features.php?id=801 – Brian Jul 24 '15 at 13:01
  • I am doing a SSL redirect, but the hostname matches what's defined in my ruleset – James White Jul 24 '15 at 13:12
  • Can reduce to `if (dnsDomainIs(host, ".somedomain.com"))` followed by the `return "DIRECT";` but yours should work unless redirects etc pass through a domain or IP addresses in the URL that then tries to go through the proxy. – Brian Jul 24 '15 at 13:22
  • Looks like I had a bad isInNet rule overriding the DIRECT statement, seems to be working now! – James White Jul 24 '15 at 13:34

3 Answers3

1

If you want something more generic, to allow all requests that require a non-standard port to go direct, try:

if (shExpMatch(url, "*://" + host + ":*"))
    return "DIRECT";

It's not perfect (and you might want to modify so that requests that explicitly specify the standard port for the protocol e.g. :80 for HTTP, and :443 for HTTPS still go via the proxy) but it should catch most requests. Refinements welcome.

Minkus
  • 278
  • 2
  • 9
0

Original config

if (shExpMatch(host, "*.somedomain.co.uk") ||
     shExpMatch(url, "http://example.somedomain.com:2222/*") ||
     shExpMatch(url, "https://example.somedomain.com:2222/*"))
     return "DIRECT";

Are you sure this shouldn't be

if (shExpMatch(host, "*.somedomain.co.uk") ||
     shExpMatch(url, "http://example.somedomain.co.uk:2222/*") ||
     shExpMatch(url, "https://example.somedomain.co.uk:2222/*"))
     return "DIRECT";

You might be trying to visit example.somedomain.co.uk but your condition is written for example.somedomain.com and so it keeps hitting the proxy?

ngn
  • 333
  • 1
  • 10
  • Sorry typo. A mistake when replacing the actual domain for placeholders – James White Jul 24 '15 at 13:11
  • For debugging, can you try removing the wildcards and testing this against a static URL? Also define an extra rule for another website which is otherwise accessible without the proxy. Check if your PAC file is actually being used at all. – ngn Jul 24 '15 at 13:20
  • PAC is most certainly being used, I'm running a proxy chain and I'd know if it was not being used. – James White Jul 24 '15 at 13:29
0

Looks like it was a combination of caching and a bad isInNet rule overriding the DIRECT rule in my specific port if statement.

The rule example posted does work, when executed in the correct order!

James White
  • 654
  • 3
  • 17
  • 32