Page MenuHomeVyOS Platform
Create Task
Maniphest T4811

Webproxy bypassing CLI whitelist command is missing
Open, WishlistPublicBUG
Actions

Description

Hi,

For VYOS 1.3 version according to documentation - https://docs.vyos.io/en/crux/configuration/service/webproxy.html#bypassing-the-webproxy

We can bypass the proxy using whitelist command.

But I am not seeing any whitelist parameter from the CLI.

set service webproxy whitelist

Configuration path: service webproxy [whitelist] is not valid
# set service webproxy 
Possible completions:
   append-domain
                Default domain name
 > authentication
                Proxy Authentication Settings
+> cache-peer   Specify other caches in a hierarchy
   cache-size   Disk cache size in MB (default: 100)
   default-port Default Proxy Port (default: 3128)
   disable-access-log
                Disable logging of HTTP accesses
+  domain-block Domain name to block
+  domain-noncache
                Domain name to access without caching
+> listen-address
                IPv4 listen-address for WebProxy [REQUIRED]
   maximum-object-size
                Maximum size of object to be stored in cache in kilobytes
   mem-cache-size
                Memory cache size in MB
   minimum-object-size
                Maximum size of object to be stored in cache in kilobytes
   outgoing-address
                Outgoing IP address for webproxy
+  reply-block-mime
                MIME type to block
   reply-body-max-size
                Maximum reply body size in KB
 > url-filtering
                URL filtering settings

What happed to this nice feature? Has the developer removed this?

Can someone kindly look into this?

Reagrds,

Details

Difficulty level
Unknown (require assessment)
Version
1.3 with kernel 5.4.210
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Improvement (missing useful functionality)

Event Timeline

sajiby3k created this task.Nov 10 2022, 12:25 PM
sajiby3k updated the task description. (Show Details)
pasik added a subscriber: pasik.Nov 10 2022, 5:31 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus.Aug 27 2023, 12:09 AM
Viacheslav added a subscriber: Viacheslav.Aug 31 2023, 1:31 PM

Still bug

vyos@r1# set service webproxy 
Possible completions:
   append-domain
                Default domain name
 > authentication
                Proxy Authentication Settings
+> cache-peer   Specify other caches in a hierarchy
   cache-size   Disk cache size in MB (default: 100)
   default-port Default Proxy Port (default: 3128)
   disable-access-log
                Disable logging of HTTP accesses
+  domain-block Domain name to block
+  domain-noncache
                Domain name to access without caching
+> listen-address
                IPv4 listen-address for WebProxy [REQUIRED]
   maximum-object-size
                Maximum size of object to be stored in cache in kilobytes
   mem-cache-size
                Memory cache size in MB
   minimum-object-size
                Maximum size of object to be stored in cache in kilobytes
   outgoing-address
                Outgoing IP address for webproxy
+  reply-block-mime
                MIME type to block
   reply-body-max-size
                Maximum reply body size in KB
 > url-filtering
                URL filtering settings
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:36 PM
Viacheslav triaged this task as Wishlist priority.Jan 20 2024, 11:21 AM
Viacheslav edited projects, added VyOS 1.5 Circinus; removed VyOS 1.3 Equuleus (1.3.6).
Viacheslav updated the task description. (Show Details)Thu, May 2, 9:18 AM
Viacheslav added a comment.Thu, May 2, 10:22 AM

Example of config:

set service webproxy listen-address 192.168.122.12 disable-transparent
set service webproxy url-filtering squidguard block-category 'aggressive'
set service webproxy url-filtering squidguard local-block 'mytest.local'
set service webproxy whitelist destination-address '192.0.2.1'
set service webproxy whitelist destination-address '192.0.2.2'
set service webproxy whitelist source-address '192.0.2.222'
set service webproxy whitelist source-address '192.0.2.223'

The old implementation of whitelists uses NAT rules.

vyos@r12# cat /opt/vyatta/share/vyatta-cfg/templates/service/webproxy/whitelist/destination-address/node.def 
multi:
type: txt
help: Destination address/network to bypass the transparent proxy
syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl iptables4_addr $VAR(@)"

create: sudo iptables -t nat -I WEBPROXY 1 -p tcp --dport 80 -d '$VAR(@)' -m comment --comment 'webproxy whitelist destination-address' -j RETURN

delete: sudo iptables -t nat -D WEBPROXY -p tcp --dport 80 -d '$VAR(@)' -m comment --comment 'webproxy whitelist destination-address' -j RETURN

val_help: ipv4 ; IPv4 destination address to bypass
val_help: ipv4net ; IPv4 destination network to bypass
[edit]
vyos@r12# 


vyos@r12# cat /opt/vyatta/share/vyatta-cfg/templates/service/webproxy/whitelist/source-address/node.def 
multi:
type: txt
help: Source address/network to bypass the transparent proxy
syntax:expression: exec "/opt/vyatta/sbin/vyatta-validate-type.pl iptables4_addr $VAR(@)"

create: sudo iptables -t nat -I WEBPROXY 1 -p tcp --dport 80 -s '$VAR(@)' -m comment --comment 'webproxy whitelist source-address' -j RETURN

delete: sudo iptables -t nat -D WEBPROXY -p tcp --dport 80 -s '$VAR(@)' -m comment --comment 'webproxy whitelist source-address' -j RETURN

val_help: ipv4 ; IPv4 source address to bypass
val_help: ipv4net ; IPv4 source network to bypass

[edit]
vyos@r12#

And PRE_DNAT_HOOK chain

vyos@r12# sudo iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
VYATTA_PRE_DNAT_HOOK  all  --  anywhere             anywhere            

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
VYATTA_PRE_SNAT_HOOK  all  --  anywhere             anywhere            

Chain VYATTA_PRE_DNAT_HOOK (1 references)
target     prot opt source               destination         
WEBPROXY   all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain VYATTA_PRE_SNAT_HOOK (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain WEBPROXY (1 references)
target     prot opt source               destination         
RETURN     tcp  --  192.0.2.223          anywhere             tcp dpt:http /* webproxy whitelist source-address */
RETURN     tcp  --  192.0.2.222          anywhere             tcp dpt:http /* webproxy whitelist source-address */
RETURN     tcp  --  anywhere             192.0.2.2            tcp dpt:http /* webproxy whitelist destination-address */
RETURN     tcp  --  anywhere             192.0.2.1            tcp dpt:http /* webproxy whitelist destination-address */
[edit]
vyos@r12#

The generated rules:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:VYATTA_PRE_DNAT_HOOK - [0:0]
:VYATTA_PRE_SNAT_HOOK - [0:0]
:WEBPROXY - [0:0]
-A PREROUTING -j VYATTA_PRE_DNAT_HOOK
-A POSTROUTING -j VYATTA_PRE_SNAT_HOOK
-A VYATTA_PRE_DNAT_HOOK -j WEBPROXY
-A VYATTA_PRE_DNAT_HOOK -j RETURN
-A VYATTA_PRE_SNAT_HOOK -j RETURN
-A WEBPROXY -s 192.0.2.223/32 -p tcp -m tcp --dport 80 -m comment --comment "webproxy whitelist source-address" -j RETURN
-A WEBPROXY -s 192.0.2.222/32 -p tcp -m tcp --dport 80 -m comment --comment "webproxy whitelist source-address" -j RETURN
-A WEBPROXY -d 192.0.2.2/32 -p tcp -m tcp --dport 80 -m comment --comment "webproxy whitelist destination-address" -j RETURN
-A WEBPROXY -d 192.0.2.1/32 -p tcp -m tcp --dport 80 -m comment --comment "webproxy whitelist destination-address" -j RETURN
COMMIT

I wonder if we need an implementation for 1.5/1.4, as it used port 80?

Viacheslav renamed this task from Webproxy bypassing cli command missing to Webproxy bypassing CLI whitelist command is missing.Thu, May 2, 10:23 AM