Best way to bypass Squid for certain sites?

Question

We have a Squid transparent proxy running, it's great, awesome dare I say. The problem is when some very random sites seem to hate squid. Cox.com is one in particular. Right now we just set an IPtables rule to forward requests to that IP, and not send it to the squid cache.

It would be awesome to have an ACL of "bad" sites that we can setup in squid so that if a client asks for one of these sites, it lets them access it directly, avoiding the squid proxy altogether. Is that possible? Or is iptables the best solution?

score 6 · Answer 1 · answered Jan 22 '13 at 17:35

I don't think always_direct configuration directive would be the appropriate choice - it simply specifies to not contact parent or peer caches, does not affect whether the web site itself will be cached.

Take a look at the Squid FAQ: How do I configure Squid not to cache a specific server?, regarding the cache directive and ACLs

score 4 · Accepted Answer · answered Jul 22 '10 at 18:18

If you want to AVOID completely squid, adding exceptions to the transparent proxy iptables redirect rule is way.

You can, however, create an acl in squid for the always_direct directive. From the squid docs:

acl local-servers dstdomain my.domain.net
always_direct allow local-servers

It doesn't work in all cases, sometimes just avoiding the proxy completely will do.

EDIT: If you use something like shorewall you can create lists that make the exception for the redirect rule easier to manage, but it may be too overkill.

Thanks, I guess this works just fine. We shouldn't be bypassing it for too many sites anyways. — Jason Taylor, Jul 26 '10 at 13:35

score 1 · Answer 3 · answered Mar 17 '17 at 10:49

Use "cache" TAG in squid.conf

/etc/squid/acl-dstdomain-localnetsites.cfg

# Squid ACL : localnetsites
# ACL type  : dstdomain
# ACL info  : List of destination sites in local network (Corp.sites in internal networks)
#
.sub.local1.com
.sub2.local2.com
.local3.com

/etc/squid/squid.conf

...
### ACL for all local sites
#
acl localnetsites       dstdomain "/etc/squid/acl-dstdomain-localnetsites.cfg"
...
### Access rule - Never cache local sites
#
cache deny localnetsites

score 0 · Answer 4 · answered Jul 22 '10 at 18:48

At work we use lots of different proxys, regarding the flow (what application) involved and your location.

Instead of doing per-proxy configuration, it's the user's web browser that do all the job to find the correct proxy, through the help of an automatic proxy configuration script.

It works quite well, however you may be forced to review your transparent redirection to achieve it.

Best way to bypass Squid for certain sites?

4 Answers4