On 02/02/11 01:27, Pandu Poluan wrote:
On Tue, Feb 1, 2011 at 18:15, Amos Jeffries wrote:
On 01/02/11 19:58, Pandu Poluan wrote:
On Tue, Feb 1, 2011 at 13:36, Amos Jeffries wrote:
On 01/02/11 16:29, Pandu Poluan wrote:
Hello,
I want to configure SQUID as a transparent proxy, but on a separate
box from the Linux gateway (both boxes using Ubuntu Server 10.04)
I found this howto:
http://www.faqs.org/docs/Linux-mini/TransparentProxy.html
Now, my questions are:
1. Is the howto (esp. sections 6.2 and 6.3) still applicable with the
latest SQUID version?
The whole of section 6.1 is a major security vulnerability "don't do it!"
situation. Read CVE-2009-0801 for an explanation of what malware can do
to
trivially spread themselves across your whole client base.
The currently available Squid do permit it with loud failure warnings in
cache.log. We are planning on fully disabling the security hole in the
near
future.
Section 6.2 and 6.3 are the recommended way if you have to do NAT
interception.
The real transparent proxy (TPROXY) in the more recent Squid does not
work
reliably on Ubuntu 10.04.
I don't really understand about TPROXY. Do I really need TPROXY for
Squid to do transparent/intercepting proxy?
No its not required. Just useful and nicer than NAT since it operates in
both IPv4 and IPv6 and avoids websites with badly designed IP-based security
systems (aka hotmail.com and some popular download sites).
If I do, what Linux distro do you recommend?
For TPROXY the best distro seem to be CentOS 5.5+ or Debian Squeeze or
Ubuntu 10.10 all with a 3.1.10 self-built Squid.
Ahhh, I see...
More questions, then. But first, a description of my situation.
I need to have 2 Squid boxes separate from the Linux firewall. The
reason is that the users of the Squid boxes are different:
Squid A is used by Management -- traffic must go through Internet-A
Squid B is used by Rest Of Staff -- traffic must go through Internet-B
There's a single Linux firewall connected to Internet-A and
Internet-B; it performs SNAT and routing, currently using "ip rule"s
to route based on source address.
Now, my questions:
1. Where must I apply the TPROXY patches? The firewall, or Squid boxes?
No patches. Just new'ish versions of certain software:
http://wiki.squid-cache.org/Features/Tproxy4
2. What configurations should be applied on the firewall and the Squid boxes?
If you can point me to a HOWTO suitable for my situation, I'd
appreciate it. I've been searching and it seems that most HOWTO on
TPROXY assumes an intercepting Squid on the same box as the firewall.
That is because they are. The OS which support TPROXY all provide their
own internal firewall. This is the only firewall involved.
Outside of a TPROXY box the packets are indistinguishable from client
packets that were merely relayed/bridged through the box. There is maybe
at most some special routing-level config to pass them out without
looping and the replies to come back through the box.
Again, thanks for your kind assistance. Apologies if I trouble you in any way.
Welcome.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.10
Beta testers wanted for 3.2.0.4
