Page MenuHomeVyOS Platform
Create Task
Maniphest T4811

Webproxy bypassing CLI whitelist command is missing
Closed, WontfixPublicBUG
Actions

Description

Hi,

For VYOS 1.3 version according to documentation - https://docs.vyos.io/en/crux/configuration/service/webproxy.html#bypassing-the-webproxy

We can bypass the proxy using whitelist command.

But I am not seeing any whitelist parameter from the CLI.

set service webproxy whitelist

Configuration path: service webproxy [whitelist] is not valid
# set service webproxy 
Possible completions:
   append-domain
                Default domain name
 > authentication
                Proxy Authentication Settings
+> cache-peer   Specify other caches in a hierarchy
   cache-size   Disk cache size in MB (default: 100)
   default-port Default Proxy Port (default: 3128)
   disable-access-log
                Disable logging of HTTP accesses
+  domain-block Domain name to block
+  domain-noncache
                Domain name to access without caching
+> listen-address
                IPv4 listen-address for WebProxy [REQUIRED]
   maximum-object-size
                Maximum size of object to be stored in cache in kilobytes
   mem-cache-size
                Memory cache size in MB
   minimum-object-size
                Maximum size of object to be stored in cache in kilobytes
   outgoing-address
                Outgoing IP address for webproxy
+  reply-block-mime
                MIME type to block
   reply-body-max-size
                Maximum reply body size in KB
 > url-filtering
                URL filtering settings

What happed to this nice feature? Has the developer removed this?

Can someone kindly look into this?

Reagrds,

Details

Difficulty level
Unknown (require assessment)
Version
1.3 with kernel 5.4.210
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Event Timeline

sajiby3k created this task.Nov 10 2022, 12:25 PM
sajiby3k updated the task description. (Show Details)
pasik added a subscriber: pasik.Nov 10 2022, 5:31 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus.Aug 27 2023, 12:09 AM
Viacheslav added a subscriber: Viacheslav.Aug 31 2023, 1:31 PM

Still bug

vyos@r1# set service webproxy 
Possible completions:
   append-domain
                Default domain name
 > authentication
                Proxy Authentication Settings
+> cache-peer   Specify other caches in a hierarchy
   cache-size   Disk cache size in MB (default: 100)
   default-port Default Proxy Port (default: 3128)
   disable-access-log
                Disable logging of HTTP accesses
+  domain-block Domain name to block
+  domain-noncache
                Domain name to access without caching
+> listen-address
                IPv4 listen-address for WebProxy [REQUIRED]
   maximum-object-size
                Maximum size of object to be stored in cache in kilobytes
   mem-cache-size
                Memory cache size in MB
   minimum-object-size
                Maximum size of object to be stored in cache in kilobytes
   outgoing-address
                Outgoing IP address for webproxy
+  reply-block-mime
                MIME type to block
   reply-body-max-size
                Maximum reply body size in KB
 > url-filtering
                URL filtering settings
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:36 PM
Viacheslav triaged this task as Wishlist priority.Jan 20 2024, 11:21 AM
Viacheslav edited projects, added VyOS 1.5 Circinus; removed VyOS 1.3 Equuleus (1.3.6).
Viacheslav updated the task description. (Show Details)Thu, May 2, 9:18 AM
Viacheslav added a comment.Thu, May 2, 10:22 AM
This comment was removed by Viacheslav.
Viacheslav renamed this task from Webproxy bypassing cli command missing to Webproxy bypassing CLI whitelist command is missing.Thu, May 2, 10:23 AM
Viacheslav added a comment.EditedTue, May 7, 10:10 AM

Min config for old implementation with redirect (1.2):

set service webproxy listen-address 192.168.122.12
set service webproxy url-filtering squidguard block-category 'aggressive'
set service webproxy url-filtering squidguard local-block 'mytest.local'
set service webproxy whitelist destination-address '192.0.2.1'
set service webproxy whitelist destination-address '192.0.2.2'
set service webproxy whitelist source-address '192.0.2.222'
set service webproxy whitelist source-address '192.0.2.223'

Generated NAT rules:

vyos@r12# sudo iptables-save
# Generated by iptables-save v1.4.21 on Tue May  7 10:09:36 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:54]
:POSTROUTING ACCEPT [1:54]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
:WEBPROXY - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
-A POSTROUTING -o eth0 -m comment --comment SRC-NAT-100 -j MASQUERADE
-A VYATTA_PRE_DNAT_HOOK -j WEBPROXY
-A VYATTA_PRE_DNAT_HOOK -j RETURN
-A VYATTA_PRE_SNAT_HOOK -j RETURN
-A WEBPROXY -s 192.0.2.223/32 -p tcp -m tcp --dport 80 -m comment --comment "webproxy whitelist source-address" -j RETURN
-A WEBPROXY -s 192.0.2.222/32 -p tcp -m tcp --dport 80 -m comment --comment "webproxy whitelist source-address" -j RETURN
-A WEBPROXY -d 192.0.2.2/32 -p tcp -m tcp --dport 80 -m comment --comment "webproxy whitelist destination-address" -j RETURN
-A WEBPROXY -d 192.0.2.1/32 -p tcp -m tcp --dport 80 -m comment --comment "webproxy whitelist destination-address" -j RETURN
-A WEBPROXY -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
COMMIT

The current 1.5 does not have any REDIRECT rules or bypass rules

Viacheslav closed this task as Wontfix.Tue, May 7, 1:05 PM
Viacheslav claimed this task.

The current workaround is manual DNAT rules:

set nat destination rule 100 destination port '80'
set nat destination rule 100 protocol 'tcp'
set nat destination rule 100 translation redirect port '3128'

Add any rules before 100 for excluding DNAT and use "bypass"

The webproxy service is a possible candidate for deprecation. Nowadays port 80 is rarely used without SSL/HTTPS