Stroller wrote:
Many, many thanks for your reply, Amos.
It took me some days to follow up your comments, and I have been reading
the Squid documentation you referred me to in the last week. It seems
very good, however I have a couple of questions.
On 4 Feb 2009, at 05:13, Amos Jeffries wrote:
Stroller wrote:
With transparency, the machine has two NICs and everything goes
through it, right?
Maybe no, maybe yes. Transparency, Interception, and NICs are not
related.
http://wiki.squid-cache.org/ConfigExamples/Intercept
But if it's not transparent then it's just another IP on the LAN (??)
and that has to be entered into Internet Explorer's configuration
options. I can block outgoing connections to port 80
(except those made by the Squid box) at the ADSL router, and because
all the PCs are in a Windows domain I can use Policies to set that on
all clients. However this stitches up 2 or 3 laptop users - if I
force them to proxy through 192.168.4.2 then they won't be able to
surf the net when they take their laptops home (where there is no
proxy at that address).
The solution is to do the above for permanent machines. And try WPAD
for the laptops and guest machines.
http://wiki.squid-cache.org/Technology/WPAD
I initially read this as "the solution is to use interception for
permanent machines and WPAD for laptops and guests".
I think this has led me to make things more complicated than necessary,
but I am still curious about such a configuration.
Sorry, what I meant by the above was the second part of what you said.
"if I force them to proxy through 192.168.4.2".
So, the manual proxy configuration for the permanent machines. Not
transparent.
And WPAD for those 2-3 laptops. WPAD can even be installed locally and
written to detect what network the laptop is on. So you get away from
any DNS/SHCP issues.
We have a common /24 LAN with gateway 192.168.1.1, Squid running on
192.168.1.42 and various desktop PCs 192.168.1.100 - 200. Can we
redirect at the gateway so that when a desktop PC sends a packet with a
port 80 destination, the gateway redirects the packet to port 3128 of
the Squid proxy, which is on the same ethernet switch as the PCs, all on
the LAN side of the router?
Yes, possible thats basic interception. But you needed auth to work,
yes? Thats why we stuck with the WPAD option for roaming laptops.
Sorry if I explain this question badly. I am unclear whether the
interception examples using iptables are intended for sites trying to
proxy in front of their own webservers (I think this is done to reduce
load on dynamic sites, eg those that use PHP) or whether they are
intended for sites like mine, trying to force proxying on the users.
All the wiki ConfigExamples/Intercept/* are for ISP or enterprise
gateway type situations, where traffic can be diverted through squid.
The website accelerator ones are in a different section
(ConfigExamples/Reverse/*).
The difference between these two scenarios is that packets approach the
router from "different sides". If one proxies for one's own webserver
then the router receives packets on the WAN port & redirects then to the
LAN. In my example the packets are sent to the LAN port of the router &
redirected to another machine, also on the LAN - they use the same
interface, doesn't this cause collisions?
If not done right, yes.
Also, doesn't the Squid
machine think the packets are originating from the router and not the
desktop PC? Someone else has asserted this to be the case, and I am
unable to answer.
Only if NAT is done on the router rather than policy-routed first before
NAT on the squid box.
Stepping back from this confusion for a moment, I think the thing to do
for my scenario is to block all outgoing port 80 connections at the
router, except those initiated by the Squid machine. Then use WPAD /
Windows domain rules to point to the the Squid proxy.
Yes, that was what I meant initialy. Sorry for the confusion.
Regarding ACLs: is it possible to have certain sites unrestricted, and
only ask users for a password if they want to access sites that are not
on that list?
Yes. The config looks like:
acl okSites dstdomain .example.com
http_access allow localnet okaySites
http_access deny localnet !loggedIn
http_access allow localnet
http_access deny all
Blimey! My head is melting. Sorry if my questions are ill-formed, and
many thanks for the help you have already given,
Stroller.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.5
