[SOLVED] Web site bypass in transparent proxy

[Maekar]

Hi, I need to add an exception to transparent proxy in Zentyal 3.3.4. The problem is that I need do it for a public IP, and Zentyal only admits by domain name. How can I do it? Thanks in advance.

[christian]

Do you mean to say that users are accessing this site typing IP in URL ?

[Maekar]

Hi, its a software that need to comunicate to an external server, so there is no domain name. Previously, I used ClearOS and I solved the problem with this: http://www.clearcenter.com/support/documentation/user_guide/web_proxy#web_site_bypass

[Maekar]

Maybe the solution is something like this? http://doc.zentyal.org/en/appendix-c.html#hooks

I want that all traffic with a certain IP destination, don't pass through the proxy, but I don't know how to do it.

Thanks in advance.

[christian]

This might be off-topic (and community members might be tired with my steady comment about this) but if you were using explicit proxy and WPAD, such behaviour would be easily handled because you can define in your proxy.pac such "no proxy for" rule and then this is only a matter of authorizing this specific flow through your firewall.

This aside, I can't really help with the tweak. I'm afraid (sure) that this is more a matter of iptables than proxy 

[mch]

just an idea, didn't try:
Go to your DNS and assign that IP a domain name. Then, use that domain name for settings.

Might not work because: If the bypass only checks before dns resolution for domain names.
Possible solution for that: Maybe you can set your software to use that domain name. 

[christian]

BTW I had this same idea but for what I understand, it doesn't work because what you set client side is an IP, not fqdn 

[Maekar]

Thanks for the help, I've tried with DNS method but it doesn't work. Also, I can't touch the software because it's a commercial software, not mine.

The only solution is with iptables, in the same way that Zentyal does in the exceptions section, but with an IP instead a domain name.

If anybody know how is the rule, and where I have to put, i'll appreciate any help.

[christian]

not very clever help but you can perhaps just add some exception using Zentyal GUI then look at iptables to see where and how it's implemented

[Maekar]

Thanks, christian, I've configured some exceptions in  Zentyal GUI but I can't find them in iptables. May be I'm doing something wrong.

[Maekar]

Any clue, guys?

[christian]

I don't have currently any 3.x running platform to help you efficiently.
Did you look at "nat" tables ? (iptables -t nat -L)
Transparent proxy bypass is handle this way.
You will find more information here.

[Maekar]

Thanks, christian, now I can see exceptiones that I add in Zentyal GUI. For example, if I add the domain aeiou.pt, this line is added in the first line of iptables -t nat -L:

ACCEPT     tcp  --  anywhere             195.170.168.62       tcp dpt:http

How can I add manually an IP to that nat table?

P.S.: I read your link but I dare not to do anything blindly because the firewall is in production.

[christian]

what you show is not enough to tell you where to add this rule. I suppose rule you show is part of some "Chain" that must be shown in order to bring understanding.

Anyway, if you also think a this twice:
- you added domain in GUI and get IP based rule in iptables
- you want to add bypass for some specific IP

Assuming Zentyal is also your primary DNS, let's try this dirty workaround
- in DNS section, create new domain. Let's call it "bypass.my"
- assign your application IP to this domain
- add exception in HTTP proxy for this domain. It should be solved using yor own DNS entry (I hope)
- check iptable to ensure you get the right rule and try to access your application.

I guess this should work and and bypass.my domain doesn't exists, having it in your own DNS doesn't hurt.

Once done, you will have more time to think about explicit proxy implementation 

[Maekar]

Many, many thanks, christian, I didn't think I would get but thanks to your help now works. The DNS way is dirty but I prefer to edit files manually, I'm really noob (that the reason we use Zentyal). I will set explicit proxy in the next production shutdown period. Again, thanks a lot.