On Mon, 23 May 2011 13:55:52 -0500, Brent Norris wrote:
List, I currently have squid setup as an interception proxy in my school district. I also have it configured on our static network machines. I understand that squid will not work as an interception proxy for anything that isn't standard HTTP, according to documentation available on the web. What I was wondering though is if there was a way that I could set my Linux server up to accept other kinds of traffic (HTTPS, Streaming media) and pass that traffic on without really proxying it, but still comparing it against my squidguard lists?
Think about that. Comparing random IP packets against squidguard HTTP rules.
IP packet handling is a firewall duty. You will have to duplicate your SG rules in the firewall.
I do a lot of filtering of objectionable sites for our students in squidguard and it would be a very big hole to all those sites through if the students are using HTTPS to get to them. I am not really set in any specific way. If someone has a better idea about how I should go about it, please feel free to give me any pointers that you might have.
We officially recommend using interception as a very *last* resort. It is dangerous with nasty side effects, just like NAT on which it is based. You have just noticed one of the security holes.
The recommended network setup has multiple ways software can find its way to the proxy. WPAD and PAC, local environment variable on fixed machines. The details are outlined in the FAQ at http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers
Amos
