Donatas Gedvilas wrote:
Hello, I am looking for a help and I am not very good in english so sorry in advance:). I am a system-network administrator in one company. I like open source and I have the task "to control users http traffic", my deadline 3 months. I refused "Fortigate" and "Astaro" complete comercial products. I have 110 users at all, but in one office there are about 50 so I started there. As far as I know a little debian, I choosed it and squid as a proxy-cache. I installed it on separate machine listening on 3128 port, with SNMP enabled and MRTG for monitoring, W3Perl for making nice statistics. For now I configured 10 users browsers (we use Firefox as the main, and IE for specific http) to go through my proxy. Everything is working fine because squid handles with real users ip addresses, and W3perl output generated from access.log looks fine because I made translation Name Surname - users IP address. And is easy to change user browser settings to go directly if something is wrong with "squid-machine". But this configuration is good only for testing purposes. Users (intermediate level) can easy change browser settings not to go through proxy. Yes I know there are some methodics how to disable changing such settings, but doing this with 40-50 users is not a good idea:) So I need transparent proxy configuration - in my oppinion.?
Better to prefer WPAD / PAC files if you can. Then browsers just get set to 'auto detect'.
Also, for better control a port-80 block on the firewall is good to force use of the proxy.
Only choose intercept to act as a last-choice backup for the stuff where both the above fails. Capability limits and breakages under intercept are great.
I am using "IPcop" router firewalling machine for testing purposes one year and it works fine in my case. (It also have built-in proxy but I don't like it for several reasons, very week logs and poor caching capabilities and everything on one machine ). So am planing to put Squid-proxy-macnine in DMZ (ipcop's orange interface, as I read from http://www.deckle.co.za/squid-users-guide is the best place for cache.) My trusted hosts would be on green network (trusted) and Ipcop hand-off's any http 80, ftp 21 and https 443 requests to DMZ (my orange) interface on squid-proxy-machine listening on 3128 port, and squid then would be able to communicate with ISP' cache-servers on the red side with UDP-ICP protocol for example - am I right?
If you wish. Topology does not matter for what you have described as your requirements.
The main question is in that configuration my squid-machine would be able to autenticate every user traffic going from green and give nice outputs with Names Surnames, or all users ip's from green would be covered by one orange (DMZ) ip and squid-machine wouldn't be able to see nice outputs based on ip's.
#1 limit of interception is no HTTP authentication. There are tricks and ways around that, but its actualy easier to get your head around WPAD/PAC than to get side-band auth right.
Also I have www server and planing ftp server to put on DMZ. Please, advise my how to do the best in that way or give another configuration example, because I can't to test this way now in practice (because my squid-machine is placed in one office and ipcop firewall in another (different cities, different branches). I would be waiting for any help thanks
Check through: http://wiki.squid-cache.org/ConfigExamples and see if any of the examples suite you or leads to a good idea. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14 Current Beta Squid 3.1.0.7
