Inside a local environment, access to the Internet may be via an Internet proxy. Your environment may be unable to handle DNS resolution of public domain names. If you need to configure another proxy, how can you ensure that the local network proxy responds to requests to the local network, but forwards requests to the Internet proxy?
For example, in your local environment:
- Inside local env, your DNS resolve *.local domain
- Any other request will fail (empty anwser or servfail DNS anwser)
The aim is to configure the Squid proxy to detect whether you're accessing a local or Internet web service based on DNS resolution.
Technicaly, I have setup a Docker-compose file with custom squid.conf:
version: '3'
services:
squid:
image: ubuntu/squid:5.2-22.04_beta
restart: always
volumes:
- ./config/squid.conf:/etc/squid/squid.conf
environment:
- TZ=UTC
ports:
- "8080:8080"
The solution is to filter access to a request based on the destination IP of the URL. If the IP is resolved by the proxy, then the IP is a one. If not, the domain name is that of the Internet, so the request must be sent to the Internet proxy.
With Squid you cannot detect DNS failure with ACL. But you create an ACL based on a IP range. The idea is to do the opposite: if the request has a valid destination IPv4, then the request is filtered. Here IPv4 range: 0.0.0.0/0.0.0.0. If we have a DNS failure, squid cannot get the destination IP, no filter on destination IP is performed.
The important part are the last 5 lines of the file. We used always_direct and never_direct directive to define how request should use the cache_peer (internet proxy).
- Always_direct remove direct access for every request, expect valid destination IP
- Never_direct force direct access for valid destination IP
