Edward C. Jakosalem wrote:
Hi,
Edward C. Jakosalem wrote:
tis 2007-04-17 klockan 20:55 +1000 skrev Edward C. Jakosalem:
I have posted this same problem before but I want to post it again
because
I am pressured to make this work with Squid. I know that Squid's use
is
either an accelerator or proxy or both. But we want Squid to _only_
capture web traffic and log them, that's all. As such, I have
configured
my server to act as transparent proxy.
I don't quite get what you are trying to do here.. Do you want Squid to
act as a transparent proxy by intercepting port 80 traffic and have it
redirected to Squid, or do you just want to audit the port 80 traffic
without actually touching the packets by just listening on a switch
mirror/monitor port?
I actully just need squid to act as transparent proxy so I can log
traffic. I don't care how squid will do this, I just need the logs. And
the reason why we use the mirrored port is that we don't want browsing
affected in case this server goes down.
So you want Squid to be in the path but don't want it to affect anything
if it goes down? That can't be done, unless you can use WCCP to ignore
it if it's down. Never played with WCCP so I don't know if it's
possible. I've always 'done the right thing' and told my browsers about
the proxy!
The first can be done by Squid, and any of the interception methods
will
work. WCCP, Policy routing etc..
The second is not a job for Squid. You need a packet analyzer/auditor
for this. There is quite many different ones depending on what you are
looking for..
We specifically need the Squid log format that's why we want to make
this
work with squid. My boss doesn't want it any other way. :-(
Why must he have Squid format logs? What's his business reason for
having to have them in that format?
I honestly don't know. But the aim is to have a record of our customers'
browsing activities and retain the logs for 6 months.
Squid is probably the wrong tool for the job and won't work how you've
got it set up now so why not look around at other tools that are
designed for the job?
I already did and told him that. I actually have a program called _packit_
up and running. I also found some other useful ones as well. But
management said Squid can do it and if I can't make it to work, they will
seek help from someone who knows how to. Hey, what's a lowly employee like
me to do? :-(
Well, it seems to have come down to who you trust to know more about the
software: the people who wrote it, or your managers and whoever gave
them the idea that squid was capable.
Without knowing who yoru management are or their experience levels I am
thinking at this point that I have heard this story before. It sounds
like your management are not technical people and have been told by a
contact elsewhere that another business use squid to 'record logs of all
our customers activities' then jumped to conclusions.
Squid _can_ sit between your clients and the web and do it. But it does
need to be in the actual traffic path.
SO, you can take a proposal to your management (maybe with costings) for
a robust set of squid cache(s) to be your gateway to the net, you are in
the best position to know what is needed for your company given that
'cannot fail' requirement you mentioned earlier.
OR, I'm sure between us all we can work up a suitable large quote for
the work it would take a developer to make squid capable of sitting on a
mirror port. (I'll start the bidding randomly at a nice round $500k and
see where that goes if you like ;-).
OR, you can go back to your management with our (developers and expert
users) support for the argument that squid cannot do it in any known
version and get them to supply the source of their 'it can' information
to help you do it. As as side if they actually come up with a source
we'd like to know who's doing it.
Amos