BypassDomains in Authenticated Mode

Hi,

i want to bypass some Domains that client dont will use proxy and go direct…

via wpad.dat would be very simpel:

function FindProxyForURL(url, host)
{
    // Direct access to localhost
    if (isInNet(host, "127.0.0.1", "255.255.255.255"))
        return "DIRECT";

    // Direct access to local hosts
    if (isPlainHostName(host))
        return "DIRECT";
		
		
	//bypass
	if(	dnsDomainIs(host, "dhl.de") ||
		dnsDomainIs(host,".gr.gc")	||
		dnsDomainIs(host,".hgw.gc") ||
		dnsDomainIs(host,".wit.gc")
		)
		return "DIRECT";
	
	
    // eth0:192.168.208.0 green authenticated
    if (isInNet(myIpAddress(), "192.168.208.0", "255.255.255.0"))
        return "PROXY proxy.ant.gc:3128";


    // DEFAULT
    return "PROXY proxy.ant.gc:3128";
}

But i dont get how to setup, seems bypass settings on wpad.dat will only be set when proxy is in transparent mode?

Ehm… there ist my answer… but it seems im blind… where to hell should this “Domains without proxy” section be?

Sorry, don’t have a server with proxy in front of me, but from another post:

is use auth mode ^^

On the old server-manager (port 980), but works with transparent mode…

Bypass using wpad.dat should be working.
Is /var/www/html/wpad.dat content correct?

if created now a custom template in /etc/e-smith/templates-custom/var/www/html/wpad.dat called 11domainBypassGC:

 {
    my $status = $squid{'status'} || 'disabled';
    if ($status eq 'disabled') {
        return '';
    }

    $OUT .=<<EOM 
    // bypass Domain for gc stuff
    if(	
		shExpMatch(url, "*://10.32.66.*") ||
		dnsDomainIs(host,".gr.gc")	||
		dnsDomainIs(host,".nb.gc")	
	)
	return "DIRECT";
EOM

}

that works for me, but would be much better to manage this entrys from gui :slightly_smiling_face:

Now I understand, it’s a regression of the cockpit interface I already reported.
You see this:
Screenshot from 2020-12-30 10-31-49

Simple workaround:

  1. switch to Transparent mode
  2. add bypass
  3. switch back to Authenticated

wpad.dat will contain all bypasses.

mhhh sounds good, but doesnt work…

it will create fwrules showded in:

[root@proxy ~]# db fwrules show
bypass-dst2=bypass-dst
Description=
Domains=gr.gc
status=enabled
bypass-dst3=bypass-dst
Description=
Domains=hgw.gc
status=enabled

but i think in template “60proxyBypass” is missing something for “Domains”:

foreach ($db->get_all_by_prop('type' => 'bypass-dst')) {
        next if ($_->prop('status') eq 'disabled');
        my $h = $_->prop('Host') || next;
        my $address = $fw->getAddress($h);
        $OUT .= "    // Bypass destination: ".$_->key.": $h\n";
        if ($h =~ /cidr/) {
            $c = NetAddr::IP->new($address);
            $OUT .= '    if (isInNet(host, "'.$c->addr().'","'.$c->mask().'"))';
            $OUT .= "\n        return \"DIRECT\";\n";
        } elsif ($h =~ /host-group/) {
            foreach my $h (split(/,/,$address)) {
            $OUT .= '    if (isInNet(host,"'.$h.'", "255.255.255.255"))';
            $OUT .= "\n        return \"DIRECT\";\n";
            }
        } elsif ($h =~ /host/) {
            $OUT .= '    if (isInNet(host,"'.$address.'", "255.255.255.255"))';
            $OUT .= "\n        return \"DIRECT\";\n";
        } else {
            next;
        }
        $OUT .= "\n";
    }

Only source bypasses are supported. :frowning:

with this:

foreach ($db->get_all_by_prop('type' => 'bypass-dst')) {
    next if ($_->prop('status') eq 'disabled');
    my $h = $_->prop('Host') || $_->prop('Domains') || next;
    my $address = $fw->getAddress($h);
    $OUT .= "    // Bypass destination: ".$_->key.": $h\n";
    if ($h =~ /cidr/) {
        $c = NetAddr::IP->new($address);
        $OUT .= '    if (isInNet(host, "'.$c->addr().'","'.$c->mask().'"))';
        $OUT .= "\n        return \"DIRECT\";\n";
    } elsif ($h =~ /host-group/) {
        foreach my $h (split(/,/,$address)) {
        $OUT .= '    if (isInNet(host,"'.$h.'", "255.255.255.255"))';
        $OUT .= "\n        return \"DIRECT\";\n";
        }
    } elsif ($h =~ /host/) {
        $OUT .= '    if (isInNet(host,"'.$address.'", "255.255.255.255"))';
        $OUT .= "\n        return \"DIRECT\";\n";
    } elsif ($_->prop('Domains')) {
       @Domains = split(',', $h);
		foreach my $d(@Domains){
			$OUT .= '    if (dnsDomainIs(host,"'.$d.'"))';
			$OUT .= "\n        return \"DIRECT\";\n";
		}
    } else {
        next;
    }
    $OUT .= "\n";
}

it also creates entrys in wpad like:

// Bypass destination: bypass-dst2: gr.gc
if (dnsDomainIs(host,"gr.gc"))
    return "DIRECT";

Thats perfect for me! can i put it as change reqeust anywhere? maybe others also need it?

2 Likes

It seems good to me.
Could you open a new issue in github?

done :slight_smile: wuhuuuu my first feature request :slight_smile:

now only cockpit fix to show this bypass settings also in auth mode is missing :innocent:

1 Like

IMO, it’s no really a regression: it’s more a change of perspective :slight_smile:
The bypass for authenticated mode, is usefull only if wpad is working correctly and wpad is not so reliable.
Also the authenticated mode is almost unused, and the UI tries to guide the user on better using the transparent mode.

Only the 0,5% of installations uses the authenticated mode, this is why is the UI doesn’t care a lot about it.

How do you propose to change it?

why not always show bypass settings?

We can do it, but we need to rethink a bit the page design and make sure everything is good. Some labels need to be changed too.

@edoardo_spadoni @filippo_carletti @davide_marini what do you think?

Always show bypasses.

1 Like

Changes are ready to be tested:

  • bypass domains are now part of wpad.dat
  • bypass section should be always visible when the proxy is enabled

Someone would you give it a try?
To install the package:

yum --enablerepo=nethserver-testing update nethserver-squid

@giacomo

Hi

I may be able this afternoon to test this on a box.

My 2 cents
Andy

1 Like

Thank you, fixed!

1 Like