Andres Salazar wrote:
Greetings,
The goal is to manage a LAN of 50-100 users dynamically controlling
with access list the sites each user can see, and the ones they cant.
I also need a simple way of controlling their internet route so that
they can be changed to use different IPs from different peer proxies
around the world (which i already have). All of this done 100%
transparent to the user, all config must be able to be dynamically
changed via the server level. Current services used by the users are:
Port 80, Port 443, and port 21 and a messenger XML port.
After reading the requirements below I reach the conclusion that the way
you will have to do this is a mix of WPAD/PAC and firewall settings.
WPAD is a pain to get started but will PAC-configure the browsers in the
background without users being aware of the exact settings.
PAC can be as simple or complex as you like, with multiple proxies an
failovers configured based on things like the client IP or destination
hostname.
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers
Firewall gets thrown into the mix to either outright deny port 80/443/21
access. Or if you like to NAT intercept port 80 to a proxy. This latter
handles naive software updaters etc, while placing extra annoyance
limits on people who try to bypass the proxies.
http://wiki.squid-cache.org/ConfigExamples/Intercept
Dilemmas:
a.) Squid cannot proxy/forward SSL in tranparent mode. So what are my
options? Forward port 80 through a different protocol perhaps a VPN
just for port 443 so that the particular user originates his/her
requests from the IP i want it to be. Not to mention that not all
users would be using the same src IP for port 443 so that at least I
would have to manage 4-5 different tunnels the way I see it?
maybe. PAC resolves the HTTPS problem by making the browser aware that
it must wrap the HTTPS.
b.) Squid cannot use the FTP protocol to upload files. Thus I would
need to install on all the remote routes another true FTP compliant
proxy.
maybe. PAC resolves this for web apps by informing browsers that they
are to pass it off to the proxy.
native FTP clients you will still need some proxy. frox is the one we
recommend as its purpose-built for this.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Why I need this to be 100% transparent:
No user should ever be allowed to surf the internet with their local
IP all communication should be proxied to a specific route so no
bypassing allowed thus the need for a FORCED transparent proxy.
My users have a number of different browsers installed ranging from
opera, firefox, IE... besides they have applications that manage
updates that would also need to have the proxy configured such as
AntiVirus software, Anti Spyware. There are ways to automatically
config brwosers but what about ftp clients, virus and adware software?
The good anti-virus/malware apps I've seen all can pull their proxy
settings from IE.
FTP clients are rare though. FTP is not a naturally proxied protocol.
We have sites that my users need not be proxied/vpned out because they
are in the same location. So aside from configuring each proxy in the
browsers stuff like a LAN CRM woudl have to be configured as
exceptions.
Not all users will use the same proxy, there would be at least 5
possible routes so internal routing must be done.
PAC resolves this by allowing you to set the decision logic out for each
client if need be.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So, all of this is resumed into two proxy software combined with
tunnels/vpns. Even if this is done like I suggest I think network
diagnostics/maintenance would be *very* time consuming.. Would you
guys agree?
Is there any commercial solution/open source solution that can do what
I want in a combo way? Btw due to the nature of SSL i dont expect to
have allow lists or deny lists but it should in a way proxy it so that
i can set custom src IPs per user.
--Andres
Amos
--
Please be using
Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
Current Beta Squid 3.1.0.14
