Search squid archive

Re: Content filtering, password-bypass & client configuration.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Many, many thanks for your reply, Amos.

It took me some days to follow up your comments, and I have been reading the Squid documentation you referred me to in the last week. It seems very good, however I have a couple of questions.


On 4 Feb 2009, at 05:13, Amos Jeffries wrote:
Stroller wrote:

With transparency, the machine has two NICs and everything goes through it, right?

Maybe no, maybe yes. Transparency, Interception, and NICs are not related.
http://wiki.squid-cache.org/ConfigExamples/Intercept


But if it's not transparent then it's just another IP on the LAN (??) and that has to be entered into Internet Explorer's configuration options. I can block outgoing connections to port 80 (except those made by the Squid box) at the ADSL router, and because all the PCs are in a Windows domain I can use Policies to set that on all clients. However this stitches up 2 or 3 laptop users - if I force them to proxy through 192.168.4.2 then they won't be able to surf the net when they take their laptops home (where there is no proxy at that address).

The solution is to do the above for permanent machines. And try WPAD for the laptops and guest machines.
http://wiki.squid-cache.org/Technology/WPAD


I initially read this as "the solution is to use interception for permanent machines and WPAD for laptops and guests". I think this has led me to make things more complicated than necessary, but I am still curious about such a configuration.

We have a common /24 LAN with gateway 192.168.1.1, Squid running on 192.168.1.42 and various desktop PCs 192.168.1.100 - 200. Can we redirect at the gateway so that when a desktop PC sends a packet with a port 80 destination, the gateway redirects the packet to port 3128 of the Squid proxy, which is on the same ethernet switch as the PCs, all on the LAN side of the router?

Sorry if I explain this question badly. I am unclear whether the interception examples using iptables are intended for sites trying to proxy in front of their own webservers (I think this is done to reduce load on dynamic sites, eg those that use PHP) or whether they are intended for sites like mine, trying to force proxying on the users.

The difference between these two scenarios is that packets approach the router from "different sides". If one proxies for one's own webserver then the router receives packets on the WAN port & redirects then to the LAN. In my example the packets are sent to the LAN port of the router & redirected to another machine, also on the LAN - they use the same interface, doesn't this cause collisions? Also, doesn't the Squid machine think the packets are originating from the router and not the desktop PC? Someone else has asserted this to be the case, and I am unable to answer.


Stepping back from this confusion for a moment, I think the thing to do for my scenario is to block all outgoing port 80 connections at the router, except those initiated by the Squid machine. Then use WPAD / Windows domain rules to point to the the Squid proxy.

Regarding ACLs: is it possible to have certain sites unrestricted, and only ask users for a password if they want to access sites that are not on that list?

Blimey! My head is melting. Sorry if my questions are ill-formed, and many thanks for the help you have already given,

Stroller.







[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux