1

I have a squid proxy set up on my home network and I can't seem to set it up to allow apple AppStore traffic to passthrough.

I am running Diladele Web Security on top of squid3.3.8

I have added HTTPS domain exceptions to not filter *.apple.com and also added an excluded domain *.apple.com under the squid exclusions (via DiladeleServer:80/config/squid/ )

I still see the traffic logs every time I load the appstore so it seems squid is misconfigured.

drunknbass
  • 135
  • 5
  • Exactly what is the problem? Also show your log entries demonstrating the problem. – Michael Hampton Jan 01 '14 at 18:35
  • The problem is app installs fail behind the proxy. Everything else seems to work. I suspect the appstore is doing pinning etc. so Id like to completely exclude *.apple.com traffic from squid. Adding the exclusions to the places I mentioned don't seem to be enough. – drunknbass Jan 01 '14 at 18:50
  • i'm using squid proxy 3.1.10, and the app store works fine. the issue might be with the web security you are using. – MohyedeenN Jan 01 '14 at 19:37

1 Answers1

1

There are three possible options for bypassing web filtering with current qlproxy3:

  1. Do not pass HTTP/HTTPS traffic to domain to qlproxy ICAP server at all and thus totally bypass web filtering using acl lists in Squid. Add exclusion in Settings / Squid / Excluded Domains.
  2. Do not do HTTPS decryption for traffic going to domain and thus bypass web filtering to some extent (only domain name is filtered when client does HTTPS CONNECT tunneling through proxy). Add exclusion to domain in the Squid -> HTTPS filtering -> Exclusions.
  3. Perform full filtering but add the exclusion to domain in your filtering policies. Add domain to Policies -> Exclusions.

I suspect the error is because you might be doing HTTPS bumping of the traffic and yes certificate pinning might also be in place (as for Twitter client in iPhone for example), in this case add .apple.com to the Settings / HTTPS Filtering / Excluded Domains in the Web UI of Diladele Web Safety and hit Save and Restart. You need to restart Squid too.

Please note you need to add .apple.com not *.apple.com to the exclusion list as qlproxy for now does the exact compare of the domain names not regex style search.

Rafael
  • 534
  • 2
  • 3
  • we added explicit warning in version qlproxy 3.1 - now the wildcard charachers are not allowed to be entered from Web UI, so user will not be able to hit this bug any more :) – Rafael Jan 06 '14 at 10:11