On Tue, 16 Feb 2010 20:53:52 +0100, Christian Weiligmann <christian.weiligmann@xxxxxxxxxxxxxxxxx> wrote: > I have a problem, > I would like to get all my questions from the internal network to the > internet over squid proxy, with using delegated authentication. > (SQL,NTLM...). > Is that possible? I know that the transparency function is not be able > to authenticate. But what can i do? > For example: Ipsec Connections, Openvpn connections and many other > client programs used for internet connections over squid. And i have to > log all the traffic with ip, username and password. > > sorry for this stupid question, but i want to learn. Well, you can't authenticate against the proxy itself while intercepting the traffic. But there are all sorts of alternatives. I recommend the one called WPAD or WPAD/PAC. It uses a PAC (proxy auto-configuration) file to 'transparently' configure all the network clients to use the proxy. Any client browser with their network proxy settings turned to "automatic" will act like a regular proxy client without any special configuration on the users part. You may use authentication with these clients! http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Fully_Automatically_Configuring_Browsers_for_WPAD http://wiki.squid-cache.org/Technology/WPAD >From your request I assume that non-login requests are not to be permitted at all. With WPAD going you can convert the interception requests into a captive portal type setup. Where any requests arriving at it get sent to a custom page (using deny_info and ACL) instructing the user how to setup their browser to use the WPAD setting. This may need to be phased in with an IP range ACL slowly expanding across the network to get clients updating their settings on a controlled gradual basis. Watching the logs closely for programs which may need special admin attention for any reason. Amos