[FIXED] Bypass Transparent Proxy for selected destinations

[muppetgeoff]

Hi,

I have found that I cannot access the WebUI if my eBox transparent proxy is down. I also have an issue, where I need to bypass the proxy for access to certain sites (IP addresses).

Normally I would do this with IP Tables, setting a rule to *not* redirect port 80 to the transparent proxy, if the destination is xxx.xxx.xxx.xxx

How can I do this in eBox?

Basically, we have our Mail server on a public IP, that is located in our building. It is technically an Internet host (so needs to be on the public side of the eBox) but it is connected via 1GBps to the eBox. Our users use Webmail to access the eMail server, and all that traffic is bogging down the proxy, when there is no need.

It also means that is the Squid dies (which it is doing more often than I would like) our users complain, because thier Webmail dies.

To clarify - I want to bypass the transparent proxy when an internal host connects to an IP address that is on the SAME subnet as the eBox 'WAN' interface.

Many thanks in advance,

Geoff

[christian]

Is transparent proxy mode mandatory?
I'm asking because obvious solution would be to configure proxy, client side and also config "no proxy for... your LAN"

Second point, can't you also configure Webmail to be available on both internal and external interface.
I mean "it is" available. Your problem, for what I understand, is more a matter of DNS so that from internet, your.domain/webmail points to external interface while same request from your LAN reaches internal interface. It's not a matter of transparent or not proxy, is it? 

[sixstone]

Hi Geoff,

Any custom nat configuration must be done using firewall hooks. You may provide your custom iptables rules to /etc/ebox/hooks (there is an example there) and insert in the nat table to the desirable chain and eBox will not touch a thing of them.

Don't forget to set -I parameter in your iptables command to insert your rule prior to the ones set by eBox.

Best regards,

[muppetgeoff]

Thanks for your help SIxstone. I'll update after I test.

Christian, thank you also, but I think you misunderstood

Is transparent proxy mode mandatory?
I'm asking because obvious solution would be to configure proxy, client side and also config "no proxy for... your LAN"

Indeed it is not mandatory - but we have 100+ clients, and no AD (yet - I am new, and have implemented one) so setting the client proxy in IE etc cannot be done without a visit to every PC. Transparent proxy is the way to go.

Second point, can't you also configure Webmail to be available on both internal and external interface

The mail server doesn't have an 'Internal' interface, its a public server, off-network Our users have gotten into the habit of using the FQDN of the mail server to access webmail. That resolves to the external IP of the mail server (*NOT* running on eBox) and so they route, and proxy, filter etc, every transaction with the webmail. Again, just removing the redirect for traffic for that IP is the single-point fix - and easier than re-educating 100+ users.

It's not a matter of transparent or not proxy, is it?  Huh

That's a matter of opinion

Kind regards,

Geoff

[muppetgeoff]

Perfect

I added:

iptables -t nat -I PREROUTING -i ! eth0 -p tcp -m tcp --dport 80 -d x.x.x.x/24 -j ACCEPT

to '/etc/ebox/hooks/firewall.postservice' - and it worked a treat I have a total of 6 interfaces on my eBox, with the WAN being eth0. So the rule above only applies if the source interface is *not* eth0. Saves me doing one per interface

Also, this helped me with the iTunes problem that I was having (http://forum.ebox-platform.com/index.php?topic=3559.msg15319) so Thank you!

Keep up the great work

Geoff