What device?
Have you tried a different device?
Apple TV vs fire tv vs ROKU ?
Looks like fire tv has proxy settings!
Found this on Roku. This article is hard to follow.
But. Roku perhaps a VPN from blue to red. To bypass proxy.
This does not solve the Squid problem.
But maybe a workaround.
The text there is pretty clear and it makes a lot of sense. How can any acl bypass a request if you have already committed it to squid? As the text says, once given to it, squid has either to service it or to fail it. It can’t be bypassed because it has no mechanism to give back the traffic to the router and say “please take back this traffic and contact instead the server directly”. Any bypass has to happen before, at the iptables level so that the traffic is never sent to squid in the first place.
The transparency happens at layer 3, while the acl operate at the application layer, way above the protocol stack.
Without knowing the details of how this complex system works, it is possible to be extremely wrong. I do not know anything about how squid works. I only make conclusions on a very approximate mental model. If my premises are wrong, my conclusion is wrong.
Having said that, yes I believe this is exactly the problem. The routing table assigns any packet destined to port 80 to squid by rewriting the packets so that they are destined to port 3129. This happens before anything else. Next squid sees these packets and has to decide what to do with them. My assumption is that squid at this point has no mechanism to send back those packets to iptables and ask it to rewirte it back to port 80 so that it can be handled directly by the browser or the streaming software.
As long as the streaming software was compatible to squid, everything worked well. As soon as squid changed something (or the streaming software changed something) the system got broken. At this point squid has to be bypassed. My hypothesis is that this has to happen before the packets are given to squid, because the caching software has no mechanism to get out of the loop by himself. Once those packets are in its memory, it has to service it (failing the streaming) or drop it (failing the streaming).
My assumptions is also that squid has a mechanism to interact at the protocol (I mean, application) layer with its clients. For example, say firefox uses squid by virtue of being configured to do so. Here squid has a way to communicate back to the client a message like “for this ip address, please retrieve the information directly” and therefore an acl table stating “do not cache this ip” will work.
Fantastic work. I just changed few words to make a sentence a bit shorter. Feel free to reverse it if you do not like it.
I would add a sentence to explain that IPTables is the main actor of the transparent feature as it passes the traffic to Squid. This way it becomes more clear why the problem is solved through iptables and not acls, besides the quote of Squid documentations.
Please let me repeat what an outstanding job @jon did here.
I do not feel comfortable to modify your text (besides minor editing). You linked this thread to the wiki article, so the information is available. Thanks again for all the work you put in this project and sharing the result with everyone.
Edit: I edited the page to add a reference to the proxy setup page of the wiki that explains what a transparent proxy is.