q16marvin
(Q16marvin)
December 29, 2020, 12:43pm
1
Hi,
i want to bypass some Domains that client dont will use proxy and go direct…
via wpad.dat would be very simpel:
function FindProxyForURL(url, host)
{
// Direct access to localhost
if (isInNet(host, "127.0.0.1", "255.255.255.255"))
return "DIRECT";
// Direct access to local hosts
if (isPlainHostName(host))
return "DIRECT";
//bypass
if( dnsDomainIs(host, "dhl.de") ||
dnsDomainIs(host,".gr.gc") ||
dnsDomainIs(host,".hgw.gc") ||
dnsDomainIs(host,".wit.gc")
)
return "DIRECT";
// eth0:192.168.208.0 green authenticated
if (isInNet(myIpAddress(), "192.168.208.0", "255.255.255.0"))
return "PROXY proxy.ant.gc:3128";
// DEFAULT
return "PROXY proxy.ant.gc:3128";
}
But i dont get how to setup, seems bypass settings on wpad.dat will only be set when proxy is in transparent mode?
q16marvin
(Q16marvin)
December 29, 2020, 5:55pm
2
Ehm… there ist my answer… but it seems im blind… where to hell should this “Domains without proxy” section be?
dnutan
(Marc)
December 29, 2020, 6:08pm
3
Sorry, don’t have a server with proxy in front of me, but from another post :
dnutan
(Marc)
December 29, 2020, 9:49pm
5
On the old server-manager (port 980), but works with transparent mode…
Bypass using wpad.dat should be working.
Is /var/www/html/wpad.dat
content correct?
q16marvin
(Q16marvin)
December 30, 2020, 6:33am
7
if created now a custom template in /etc/e-smith/templates-custom/var/www/html/wpad.dat called 11domainBypassGC:
{
my $status = $squid{'status'} || 'disabled';
if ($status eq 'disabled') {
return '';
}
$OUT .=<<EOM
// bypass Domain for gc stuff
if(
shExpMatch(url, "*://10.32.66.*") ||
dnsDomainIs(host,".gr.gc") ||
dnsDomainIs(host,".nb.gc")
)
return "DIRECT";
EOM
}
that works for me, but would be much better to manage this entrys from gui
Now I understand, it’s a regression of the cockpit interface I already reported.
You see this:
Simple workaround:
switch to Transparent mode
add bypass
switch back to Authenticated
wpad.dat
will contain all bypasses.
q16marvin
(Q16marvin)
December 30, 2020, 10:08am
9
mhhh sounds good, but doesnt work…
it will create fwrules showded in:
[root@proxy ~]# db fwrules show
bypass-dst2=bypass-dst
Description=
Domains=gr.gc
status=enabled
bypass-dst3=bypass-dst
Description=
Domains=hgw.gc
status=enabled
but i think in template “60proxyBypass” is missing something for “Domains”:
foreach ($db->get_all_by_prop('type' => 'bypass-dst')) {
next if ($_->prop('status') eq 'disabled');
my $h = $_->prop('Host') || next;
my $address = $fw->getAddress($h);
$OUT .= " // Bypass destination: ".$_->key.": $h\n";
if ($h =~ /cidr/) {
$c = NetAddr::IP->new($address);
$OUT .= ' if (isInNet(host, "'.$c->addr().'","'.$c->mask().'"))';
$OUT .= "\n return \"DIRECT\";\n";
} elsif ($h =~ /host-group/) {
foreach my $h (split(/,/,$address)) {
$OUT .= ' if (isInNet(host,"'.$h.'", "255.255.255.255"))';
$OUT .= "\n return \"DIRECT\";\n";
}
} elsif ($h =~ /host/) {
$OUT .= ' if (isInNet(host,"'.$address.'", "255.255.255.255"))';
$OUT .= "\n return \"DIRECT\";\n";
} else {
next;
}
$OUT .= "\n";
}
Only source bypasses are supported.
q16marvin
(Q16marvin)
December 30, 2020, 12:31pm
11
with this:
foreach ($db->get_all_by_prop('type' => 'bypass-dst')) {
next if ($_->prop('status') eq 'disabled');
my $h = $_->prop('Host') || $_->prop('Domains') || next;
my $address = $fw->getAddress($h);
$OUT .= " // Bypass destination: ".$_->key.": $h\n";
if ($h =~ /cidr/) {
$c = NetAddr::IP->new($address);
$OUT .= ' if (isInNet(host, "'.$c->addr().'","'.$c->mask().'"))';
$OUT .= "\n return \"DIRECT\";\n";
} elsif ($h =~ /host-group/) {
foreach my $h (split(/,/,$address)) {
$OUT .= ' if (isInNet(host,"'.$h.'", "255.255.255.255"))';
$OUT .= "\n return \"DIRECT\";\n";
}
} elsif ($h =~ /host/) {
$OUT .= ' if (isInNet(host,"'.$address.'", "255.255.255.255"))';
$OUT .= "\n return \"DIRECT\";\n";
} elsif ($_->prop('Domains')) {
@Domains = split(',', $h);
foreach my $d(@Domains){
$OUT .= ' if (dnsDomainIs(host,"'.$d.'"))';
$OUT .= "\n return \"DIRECT\";\n";
}
} else {
next;
}
$OUT .= "\n";
}
it also creates entrys in wpad like:
// Bypass destination: bypass-dst2: gr.gc
if (dnsDomainIs(host,"gr.gc"))
return "DIRECT";
Thats perfect for me! can i put it as change reqeust anywhere? maybe others also need it?
2 Likes
It seems good to me.
Could you open a new issue in github?
q16marvin
(Q16marvin)
December 30, 2020, 1:27pm
13
done wuhuuuu my first feature request
now only cockpit fix to show this bypass settings also in auth mode is missing
1 Like
giacomo
(Giacomo Sanchietti)
January 4, 2021, 8:28am
14
IMO, it’s no really a regression: it’s more a change of perspective
The bypass for authenticated mode, is usefull only if wpad is working correctly and wpad is not so reliable.
Also the authenticated mode is almost unused, and the UI tries to guide the user on better using the transparent mode.
Only the 0,5% of installations uses the authenticated mode, this is why is the UI doesn’t care a lot about it.
How do you propose to change it?
q16marvin
(Q16marvin)
January 4, 2021, 10:38am
15
why not always show bypass settings?
giacomo
(Giacomo Sanchietti)
January 4, 2021, 11:03am
16
We can do it, but we need to rethink a bit the page design and make sure everything is good. Some labels need to be changed too.
@edoardo_spadoni @filippo_carletti @davide_marini what do you think?
giacomo
(Giacomo Sanchietti)
January 5, 2021, 9:13am
18
Changes are ready to be tested:
bypass domains are now part of wpad.dat
bypass section should be always visible when the proxy is enabled
Someone would you give it a try?
To install the package:
yum --enablerepo=nethserver-testing update nethserver-squid
@giacomo
Hi
I may be able this afternoon to test this on a box.
My 2 cents
Andy
1 Like