Nethserver squid customization

Or tell me where you can specify the IP or sites that squid should bypass ???

Have a look at Proxy, there you can define firewall objects or domains to bypass.

You can choose a source or a destination.

now I have authorization and I need to use it, and you mean to set up the source and destination? It’s a little unclear how to do this …

No, these are to independent things.

  • You can setup a destination, what is reachable from your clients without using the proxy
  • You can setup a source (address of one of your clients) which always bypass the proxy.

That is, I indicate in the source the address of the server to which you need access without a proxy and that’s it? But for example I have a virtual server to which I can access by IP, how can I specify it correctly?

Perhaps @Andy_Wismer has an idea.



Call heard… :slight_smile:

Try this:

Safe Ports

These Ports are for SSL enabled devices / ports… AFAIK, they also enable without ssl…
Add them in the (already extended) line and exand the template with the command shown…

config setprop squid SafePorts 443,8008,8443,8080,5001,5000
signal-event nethserver-squid-save

To Exclude Sites:

config setprop squid NoCache,
signal-event nethserver-squid-save

Reverse Proxy

There’s also the option of using a reverse Proxy. If your NethServer has LetsEncrypt SSLs, this would give you the option of the virtual server being SSL protected with https, all done by the NethServer. The virtual Server does not need any config for this!

This does need a legit DNS fqdn entry in both Internal and External DNS to work, besides the LE entry.

My 2 cents

1 Like

Thank you very much! It helped and it brought a good result!

Sorry I didn’t understand a little what you mean. Can you describe in more detail?



Let’s take as an example you have two websites you’ld like to host internally, and would be hosted on your NethServer, would be on another internal server, with internal IP

Both and would point to your external IP. That would work for the “outside world” or Internet. But for your internal machines, you’ld need a DNS entry, eg on your NethServer for both domains, but pointing to the Internal IP of the NethServer and other Server.

Hope this helps.

As for the main question, you can help others with the same / similiar issue by marking this as solved, see here:

My 2 cents

here is a new problem. configured in the squid filter, some users handle well and some are not at all denied access! Tell me why?



My cyrillic is non-existant and so is my russian.
If you could provide an english screenshot, that would help…

My 2 cents



How does the config look like?
Anything special about the PCs having problems? (eg win update…)

# ================= DO NOT MODIFY THIS FILE =================
# Manual changes will be lost when this file is regenerated.
# Please read the developer's guide, which is available
# at NethServer official site:

# Uncomment this to enable debug
#debug_options ALL,1 33,2 28,9

# Sites not cached
acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
no_cache deny no_cache

# Allow access from green and trusted networks.
acl localnet src
acl localnet_dst src

# Safe ports
acl SSL_ports port 443
acl SSL_ports port 980          # httpd-admin (server-manager)
acl SSL_ports port 9090         # Cockpit Web UI
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 980         # httpd-admin (server-manager)

# 20acl_00_portscustom
acl Safe_ports port 443
acl SSL_ports port 443
acl Safe_ports port 8008
acl SSL_ports port 8008
acl Safe_ports port 8443
acl SSL_ports port 8443
acl Safe_ports port 8080
acl SSL_ports port 8080
acl Safe_ports port 5001
acl SSL_ports port 5001
acl Safe_ports port 5000
acl SSL_ports port 5000
acl Safe_ports port 8006
acl SSL_ports port 8006
acl Safe_ports port 9090
acl SSL_ports port 9090
acl Safe_ports port 980
acl SSL_ports port 980

# Authentication required

# GSSAPI auth in ADS mode
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth -i
auth_param negotiate children 10
auth_param negotiate keep_alive on

# BASIC PAM auth (fallback)
auth_param basic program  /usr/lib64/squid/basic_pam_auth
auth_param basic children 5
auth_param basic realm
auth_param basic credentialsttl 1 hours
auth_param basic casesensitive on
acl authenticated proxy_auth REQUIRED

# exclude localhost from logging
# these lines have to go before any logging acl
access_log none to_localhost
# 20acl_95_localnet_log
# Make sure logs go to access.log
# Put custom logging config above this section
access_log daemon:/var/log/squid/access.log squid localnet

# Allow access from localhost
http_access allow localhost

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Skip URL rewriter for local addresses
acl self dst
acl self_port port 80
acl self_port port 443
url_rewrite_access deny self localnet  self_port

# Authentication required on green and trusted networks
http_access allow localnet authenticated

# And finally deny all other access to this proxy
http_access deny all

cache_mem 256 MB

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
refresh_pattern ([^.]+.|)(download|(windows|)update|).(microsoft.|)com/.*\.(cab|exe|msi|msp) 4320 100% 43200 reload-into-ims

# Always enable manual proxy
http_port 3128

acl https_proto proto https
always_direct allow https_proto
ssl_bump none localhost
sslproxy_options NO_SSLv2,NO_SSLv3,No_Compression
sslproxy_cipher ALL:!SSLv2:!ADH:!DSS:!MD5:!EXP:!DES:!PSK:!SRP:!RC4:!IDEA:!SEED:!aNULL:!eNULL
# TLS/SSL bumping definitions
acl tls_s1_connect at_step SslBump1
acl tls_s2_client_hello at_step SslBump2
acl tls_s3_server_hello at_step SslBump3
# TLS/SSL bumping steps
ssl_bump peek tls_s1_connect all
ssl_bump splice all
# peek at TLS/SSL connect data
# splice: no active bumping

# 45marks

# Enable squidGuard
url_rewrite_program /usr/sbin/ufdbgclient -l /var/log/squid
url_rewrite_children 20 startup=5 idle=5 concurrency=0
url_rewrite_extras "%>a/%>A %un %>rm bump_mode=%ssl::bump_mode sni=\"%ssl::>sni\" referer=\"%{Referer}>h\""

# 90options
forward_max_tries 25
shutdown_lifetime 1 seconds
buffered_logs on
max_filedesc 16384
logfile_rotate 0

Looks OK, as far as I can see…

The computer is fine!

I got the impression that the filters are working but somehow not correct
Namely, I created three filters and specified different rules for each AD group. But everyone who belongs to one of the groups behaves differently !!! I remind you that the filters are applied to users, and not to specific computers

For example, in the filter, I set up to block the selected categories (all available) when adding a user to the AD group which is involved in this filter - nothing happens !!