[vox-tech] Need to bypass Squid proxy
Micah J. Cowan
micah at cowan.name
Thu Jan 26 14:14:01 PST 2006
On Thu, Jan 26, 2006 at 01:38:54PM -0800, Ehrhart, Jay wrote:
> I don't think I made what I want to accomplish clear.
>
> I am at a county office of Education. By law all web traffic to the
> real Internet must be filtered. I have a Red Hat Linux server running
> N2H2 web filtering. It is a transparent proxy. All traffic goes
> through the proxy filter and there is no way around it.
>
> I have an internal web server that is only for the schools and is not
> publicly accessible. The proxy server does its job and sends the
> traffic out where it dies on the outside of my publicly facing firewall.
> I want to bypass the proxy with squid or iptables so that the private
> sites can reach the private web site.
I realize this. The message you're responding to was
something of a tangent.
So, it is a transparent proxy, and editing your Connection Settings
won't work. Any changes made must be done at the proxy server, or at a
routing level.
First off: as things currently stand, does traffic directed at the
private web server actually get there (though redirected from the proxy
server)? If not, then you need to make sure that the proxy knows how to
direct traffic there.
Now, if things are getting to the private web server, but always show
the IP address from the proxy server, there's a couple options. The
easiest, if you are able to make the appropriate adjustments at the web
server, is to comprehend and correctly interpret the HTTP
X-Forwarded-From (non-standard) header that your proxy should be
emitting.
Another option is to configure the proxy server to directly forward
IP packets to the internal web server, virtually unchanged (that is,
with the original source IP address intact). If you're not using Linux,
I can't help you there (it may not be possible).
But your best option would be to ensure that the routing tables of the
machines on your network don't direct intranetwork traffic through the
proxy. If you're using DHCP, then it's the DHCP server you need to
configure for this.
HTH,
Micah
More information about the vox-tech
mailing list