I’m now aware that it is preferable from a security stance to run clients through a web proxy.
How do IPFire users (those presently with web proxy enabled) handle users with software installed that doesn’t play nice with proxies?
To give two examples WhatsApp and Speedtest.net.
Is it possible to have some outbound traffic from a client bypass the web proxy whilst the remainder of its traffic via the proxy?
Any guidance or thoughts on this greatly appreciated.
Cheers,
If you have a proxy that takes accepts requests FROM the internet and routes it to your server then it is a reverse-proxy. If you are just interested in proxying your server when it acts as a regular web client, then you would use a “regular” proxy (personal recommendation: Squid). However, you won’t really see much there because that won’t get used when your server is processing incoming requests.
You didn’t address my question but thanks for responding.
Hi rjschilt,
First: Also not answering your question - sorry about that.
Do you really want this scenario? You can enable/disable proxy for zones. I personally would not want if one client is allowed to bypass the proxy because other clients can masquerade to appear like this client rendering the proxy useless (except for users who are not interested in doing not allowed stuff anyway)
Since you posted this question a long time ago. Did you find a solution until now?
Hi @florom,
Thank you for asking.
I’m still running with a 2 port appliance. One port red and the other green.
I tried to segregate traffic on the green port into proxy and non proxy traffic but this became messy to manage.
I will soon purchase a 4 port appliance and force all traffic on a 3rd port (blue) to connect via IPFire’s web proxy. All guests and normal users will then connect via the blue port.
With administrator (myself) connecting via the green port and no web proxy.
For our setup secure enough, simple and easy to manage.
Hi @rjschilt ,
That seems like the proper solution. 
2 posts were split to a new topic: Software installed that doesn’t play nice with proxies