gavguinness wrote:
Hi
I'm new to Squid. New in the sense that this time yesterday, I didn't know
what Squid was. I knew what I wanted to achieve though, and I've achieved
most of this today using Squid and a few helpful online guides...
To have users promted to authenticate when they start their browser (Check)
To log their activity in a log file (Check)
Not to have to install any software on the PC (Check)
Specifically not to use any server based DB lookup authentication (check)
The only problem is that I want all users to go through Squid, even visiting
users. A lot of our guys are not going to want to manually enter Proxy
settings each time they visit a site - I want it to be automatic.
Similarly, not every user logs into our server(s), so I can't deploy a
scrips or setting to the visiting computer as they simply connect to the
WiFi, or Cabled network point.
So basically, just connect up to the network, go on line and BAM, they have
to authenticate. Just like in Starbucks! (But without the coffee or wifi
charges!)
I looked at transparent settings, but I gather this doesn't work with
Authentication, so that's a no.
Now i'm focussing on how to get the clients to auto detect the squid box.
But I can't fathom how that's going to work. If the machines don't know
it's there, how can squid make itself known to them?
Ideally (and bear in mind my lack of knowledge at this stage) I would like
to just have my DCHP tell the clients that the squid box is the default
gateway and solve it that way, but again, I'm learning that the proxy
doesn't work that way - it's not a router, right?
Hope that makes sense, any help appreciated. But in the meantime, I'll get
my head back in the manual!
Cheers
Look into WPAD
(http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol) or a
captive portal like WiFiDog
(http://en.wikipedia.org/wiki/WiFiDog_Captive_Portal) or the Squid
session helper (check the archives).
Here's the condensed version of what I have experienced with WPAD. It
all assumes that the proxy settings have not been changed from the
shipping default in the browsers.
Using a Windows (98/2000/XP) machine and Internet Explorer, the DHCP
option 252 is honored. DNS (wpad.domainname.com) is used in the absence
of the DHCP option 252. Firefox (2 or 3) on a Windows (98/2000/XP)
machine or OS X (10.4 for sure) the DHCP option 252 is ignored, DNS is
used exclusively . Safari on Windows (98/2000/XP) or OS X ignores both
DHCP and DNS and must be explicitly configured to use a statically
defined PAC (http://en.wikipedia.org/wiki/Proxy_auto-config) file.
My suggestion is to have a webserver assigned to
http://wpad.yourdomain.tld that serves a PAC file when
http://wpad.yourdomain.tld/wpad.dat OR
http://wpad.yourdomain.tld/wpad.da is requested. This will
(transparently) catch the majority of web browsers. For the rest, you
should intercept outbound port 80 traffic and redirect it to a page that
describes how to set their browser back to defaults (or how to set their
browser to explicitly grab the PAC file).
Chris
