How to create a "site without proxy" rule

This might sound like a really dumb question, but how do I go about adding a website into the “sites without proxy” tab? Currently I only see the option of adding existing/created “hosts” (firewall objects, hostgroups, CIDR) into the “destination” field of that page. How do I enter a website, for example: I want to add mapbox.com to bypass the proxy.

Do the following:

  • Open the Firewall Objects page
  • Create and host containing “mapbox.com
  • Use the host inside the “sites without proxy” tab

Can’t create a host as “mapbox.com” … host needs to be an IP address

Try to ping mapbox.com and use the IP of mapbox.com instead of the Domain name.
When I’m doing that, the IP is 54.191.124.26

That can work, but what if a website uses multiple IP addresses? Most large websites, including mapbox, have multiple IP address and the DNS response changes from hour-to-hour or even query-to-query depending on which Data-center serves you at that time.

Edit: Nslookup gives me the following

I’m not even sure how many other IPs are being used, associated with which child domains, and how frequently these IPs are being changed.

You need to create a template custom for it.
But remember, you should use “site without proxy” only with a very few limited list of sites.

How do I go about doing that? I’m getting more and more sites showing errors, as I mentioned in my other post (Issues with Transparent proxy and SSL), so I have to start putting them into the “site without proxy”, to avoid getting yelled at from the developers :slight_smile:

The SSL proxy is quite complex and may not work on any site.

I suggest this configuration:

  • Proxy in Manual mode
  • Port 90 and 443 blocked
  • Proxy configured in all PC using the DHCP (or manually)

Would this setup handle HTTP and HTTPS traffic both?

Yes, except for the antivirus part which isn’t able to scan the traffic.

Thanks for the help. I’m now testing a manual mode proxy to avoid this issue … seems to be working fine for now.

Just out of curiosity, any plans on implementing a URL-based “sites without proxy”?

We already have it :wink: Just enable the “Enable expression matching on URL” option: some black lists already have URL support.
Also, you can create your own URL expression for the white and black list from the main page:

I’m asking particularly for “sites without proxy” option under the Proxy setting, not for content filter or anything else.

Ok not I got it :slight_smile: No, we have no plans to support it.

But you could try to hack a bit on squid using ACLs withurl_regex option. See http://www.squid-cache.org/Doc/config/acl/

Thanks for the update.

You might want to think about it, as otherwise, this “sites without proxy” is a useless feature, due to the reason I’ve already mentioned before. You can’t possibly add 20 different always-changing IPs as firewall objects, if you want a particular website to bypass the proxy.

2 Likes

Did you solve this problem?

It’s possible to enter a hostname as destination bypass in new server manager.

2 Likes

I need to release xxxx…compute-1.amazonaws.com, it has several CIDRs it is almost impossible to release just one at a time.
Can I create rules on the command line?

I’m doing this:
1 - Create CIDR Subnets Objects
2 - Create Rules Firewall
3 - Create Bypass Destination

1586563170.284 250 192.168.30.158 TAG_NONE/200 0 CONNECT 3.91.94.80:443 - HIER_NONE/- -
1586563172.776 1 192.168.30.158 TAG_NONE/200 0 CONNECT 3.91.94.80:443 - HIER_NONE/- -
1586563196.338 253 192.168.30.158 TAG_NONE/200 0 CONNECT 52.90.184.251:443 - HIER_NONE/- -
1586563241.431 45353 192.168.30.158 TAG_NONE/200 0 CONNECT 54.175.91.182:443 - HIER_NONE/- -
1586563253.302 60886 192.168.30.158 TAG_NONE/200 0 CONNECT 3.219.204.81:443 - HIER_NONE/- -

Thanks!

Yes, that’s possible:

http://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-firewall-base.html#rules

http://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-squid.html#bypasses

Thank you very much for your return, very quickly.

1 Like