Topic: How to disable squid proxy for a certain webpage?

[jonic]

My users cannot access a specific webpage (some Microsoft sourcesafe thing) when squid proxy is enabled. Can it be bypassed for a specific site? Disabling it alltogether is not an option cause I need the reports generated by sarg.

[CharlieBrady]

My users cannot access a specific webpage (some Microsoft sourcesafe thing) when squid proxy is enabled.

What does "cannot access" mean precisely? What happens when they try?

Please provide your answers via the bug tracker - squid should "just work". If it doesn't, there's probably a bug to fix.

[jonic]

The error is:
"HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services".

Normally a login box should appear, and it doesn't so I get that error. This is the same error that I get if I hit cancel on the login box. The address is : http://82.76.37.230/sourcesafe/vsservice.asmx. I've tested it form another lan with a SME server and squid enabled and I get the same error. Once I disable squid it works.

I will post this to the bugtracker, but I needed a quickfix to this problem, and bypassing squid for that address should work, but I don't know how it can be done.

[Gaston94]

Hi,
unless I am wrong in understanding your issue, it looks like the site you are trying to reach is performing a NTLM authentification request (Windows proprietary authentication method) ==> check in your log files some traces.
This methodology is really bad understood by squid (does requires "one to connect" method) and w$ is not fair in the story.
The workaround you can apply, unless squid community made great enhancement in last year, is to add this site in your browser "proxy exception" setting (or within your proxy.pac).

G.
PS: I have no idea about surrounding such issue with a transparent proxy setting : once the squid proxy has handle the request, it's too late ...

[jonic]

Yes, it seems that this is the case, so I would have to bypass squid for the webpage to work, and do the modifications on the server, due to the transparent nature of squid...Is there a template that I could edit?

Another solution would be to bypass squid completly only for a machine on the network, and use only this machine to access the webpage. Unfortunately I don't know how to do this either  .

Any ideas?

[kmccarn]

You might try proxypass:

http://www.saco-support.de/index.php?_m=downloads&_a=viewdownload&downloaditemid=7&nav=0,3

Let me know if it works.

 

[Franco]

Basically what it needs to be reconfigured is the proxy rule. SME uses IPTABLES so the propper way would be to modify the rule that says " All traffic destined to port 80 should be redirect to port 3128". The modification should add "except for destination nnn.nnn.nnn.nnn (!).

Now, where is this rule?

Code: [Select]

IPTABLES -L does not reveal it.

Proxypass is another package that does something totally different and does not apply here.

[jonic]

Proxypass is another package that does something totally different and does not apply here.

From what I've read about proxypass I got the same idea.

Basically what it needs to be reconfigured is the proxy rule. SME uses IPTABLES so the propper way would be to modify the rule that says " All traffic destined to port 80 should be redirect to port 3128". The modification should add "except for destination nnn.nnn.nnn.nnn (!).

Now, where is this rule?

Yes, where is it ?
I'm not very proficient with iptables so I could use some help.

Thanks.

[rsrexo]

Has any body solved this problem?

[jonic]

Has any body solved this problem?

Not me. But when I'll have time I plan to find a solution. If I do I will post it here.

[Franco]

Here's the solution:
nano /etc/e-smith/templates/etc/rc.d/init.d/masq/35transpoxy
change:

Code: [Select]

$OUT .= "\t-p tcp --dport 80 -j TransProxy\n";


to

Code: [Select]

$OUT .= "\t-p tcp --dport 80 -d ! 200.201.173.0/24 -j TransProxy\n";

where  ! nnn.nnn.nnn.nnn is the IP I don't want to pass through squid.

Code: [Select]

#expand-template /etc/rc.d/init.d/masq
#signal-event post-upgrade; signal-event reboot



[rsrexo]

It works!!! Thank you!!!

[roba]

Please note that this is NOT the prescribed way to modify a template..

First copy /etc/e-smith/templates/etc/rc.d/init.d/masq/35transpoxy to /etc/e-smith/custom-templates/etc/rc.d/init.d/masq/35transpoxy and then edit the file.

Otherwise your changes will be overwritten by the system when updates come along.

Perhaps someone more experienced with the user manager could add a page for setting this up [feature request].

[Franco]

you're right this is not the propper way, but if my modification were to be rewritten that would have happened by the post-upgrade command.

Code: [Select]

Perhaps someone more experienced with the user manager could add a page for setting this up [feature request].
Perhaps, but this request was made by me on version 6 and I'm still waiting...

[CharlieBrady]

you're right this is not the propper way, but if my modification were to be rewritten that would have happened by the post-upgrade command.
Adding a template-custom/masq would be easy if I was adding stuff, but since I'm modiffying it I had no choice.

That's incorrect. Rob A showed you exactly how to use a custom template when modifying an existing fragment. As he rightly says, the way you have made the change it will be lost if an updated e-smith-proxy package is installed on your system.