Page MenuHomePhabricator

Add an option to exclude addresses from transparent wev proxying
Closed, ResolvedPublic

Description

Add command webproxy proxy-bypass-source to bypass proxy based on source IP address.

This is useful for disabling the (e.g. transparent) proxy only for specific devices. (I am using it to make Netflix work again by disabling the IP address of my Fire TV where Netflix runs on.)

(If you are able to read German, I wrote a : blog post about this. Now I would like to integrate this into vyos.)

Details

Commits
Restricted Diffusion Commit
Restricted Diffusion Commit
Restricted Diffusion Commit
Difficulty level
Unknown (require assessment)
Version
1.2.0
Why the issue appeared?
Will be filled on close

Event Timeline

dsteinkopf created this object in space S1 VyOS Public.
dsteinkopf changed Version from 1.1.8 to 1.2.0.Nov 30 2018, 10:52 AM

That change should be safe to merge because it just adds a command and doesn't change anything else. So no one will be using this at the moment and so it won't have any impact. So I'd be happy to see it in 1.2.0.

runar added a commit: Restricted Diffusion Commit.Nov 30 2018, 11:18 AM
syncer triaged this task as Normal priority.Nov 30 2018, 4:32 PM
syncer added a project: VyOS 1.3 Equuleus.
syncer added subscribers: dmbaturin, syncer.

@dmbaturin you want too look into this

c-po added a subscriber: c-po.EditedDec 1 2018, 2:56 AM

I really like the idea and thank you for the contribution.

Can we maybe rename the command from webproxy proxy-bypass-source to webproxy whitelist source-address instead? The word proxy is redundant and by introducing a whitelist node we can add other options here in the future, too.

Thank you for your positive feedback. I am open to all changes.
We can rename the command, of course. But let us think about this shortly:

  1. My proposal webproxy proxy-bypass-source is "derived" from the existing webproxy proxy-bypass because it is very similar (BTW., in fact, I have no idea about vyatta/vyos programming and have just copied and changed the existing command.) Shouldn't we also move this existing command to the new node? (i.e. webproxy whitelist destination-address) What to do about backward compatibility then? Is there an easy way of auto-upgrading existing commands from webproxy proxy-bypass 1.2.3.4/24 to webproxy whitelist destination-address 1.2.3.4/24?
  1. Second, in my eyes, the word "whitelist" is not as good as "bypass" in this context. But that is only my opinion and I am not fixed there.
c-po added a comment.Dec 1 2018, 4:34 AM

@dsteinkopf I think almos every command is good when there is a discussion ongoing and we can agree on somehing. VyOS has so called migration scripts which are executed once we do CLI changes and thus migrate old configuration nodes to new ones. We already make use of this feature alot and it is transparent to the user.

Ok. Fine. Can you give me a hint about docu and an example of such a migration script? So I'll try to implement one for this case: Migrate from webproxy proxy-bypass 1.2.3.4/24 to webproxy whitelist destination-address 1.2.3.4/24

c-po added a comment.Dec 1 2018, 7:42 AM

First you need to specify a new version of your subtree,
https://github.com/vyos/vyatta-cfg-system/commit/f68dda9d619ea74bed266122ac86604284e1a9e4

Then the migration script is at:
https://github.com/vyos/vyos-1x/blob/current/src/migration-scripts/l2tp/0-to-1

This one was done for altering the l2tp radius configurations

c-po added a comment.Dec 1 2018, 7:44 AM

Or drop by our slack channel for help

A new description could be:

  1. Add command webproxy whitelist source-address to bypass proxy based on source IP address.
  2. Change the existing webproxy proxy-bypass to webproxy whitelist source-address to be consistent (and a bit more precise).

Bypassing the proxy by source address is useful for disabling the (e.g. transparent) proxy only for specific local devices. (I am using it to make Netflix work again by disabling the IP address of my Fire TV where Netflix runs on.)

dsteinkopf closed this task as Resolved by committing Restricted Diffusion Commit.Dec 7 2018, 1:45 PM
dsteinkopf added a commit: Restricted Diffusion Commit.
dmbaturin added a commit: Restricted Diffusion Commit.Dec 7 2018, 1:45 PM

@dmbaturin Did you forget to merge the other PRs (migration code) ?

syncer moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.
syncer moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.1) board.
dmbaturin renamed this task from Possibility to bypass the webproxy based on source IP address to Add an option to exclude addresses from transparent wev proxying.Apr 11 2019, 1:29 PM

Title should be something like "Add an option to exclude source IP addresses from transparent web proxying" because destination IP is a different option.