Hi people: I'm a squid user since long time ago but my skills -I believe- aren't so high to implement some of the feature I'm asking for in this e-mail. In a university there are 6000-8000 users (they are divided in a big campus through different VLANs, offices even metro-ethernet connected branchs) browsing Internet through two lines of 80 and 70 mbps. Currently there's a fortinet appliance doing the labor of web filtering with some interesting feature I'd like to implement with Squid too. These are the pros and cons about fortinet: cons ==== - It doesn't have a cache (at least not an effective one) - When fortinet implement too much bandwidth rules (something like squid delay pools) it begins to work slowly and the browsing becomes slow too. pros ==== - It has a feature to transparently block https websites. The fortinet admin told me that only for blocked webpages users get a warning of a incorrect certificate (a fortinet digital certificated) but for allowed websites users don't get any warning of failing digital certificates (i don't know if this is true or possible). - Its web filtering its good, it has a up to date database of categorized websites to do an easy blocking. What I plan to do is (or what I'd like to do): - Put Squid in front of fortinet so this one can use squid's cache. I read this is possible using WCCP and some other things. - Squid should work as a replace of fortinet if this one someday fails. So squid is the backup solution to replace fortinet. So to achieve this I think I need: a) Do a good filtering : I was thinking about configure Squid + SquidGuard with a free database, but I have here a simple and basic question: When I use a redirector like Squidguard... all Squid ACLs will definitely stop working? I mean, can I use a redirector and still use my traditional ACLs (acl, http_access, http_reply_access)? Last time I used a redirector with Squid I appreciated that all ACLs weren't even read by Squid so I have this doubt. b) Integrate fortinet with WCCP : I rapidly saw a few tutorials of how to do that but... have you achieve this without problem? c) Do transparent https proxy with squid : I tried to use https_port + ssl-bump feature of Squid 3.1 and iptables (REDIRECT 443 port to 3128) without 100% success. I generated my own certificate and that one is the same users get when trying to view some websites (i.e. facebook.com) what is OK but it happened that some websites didn't work as expected: some website loaded OK, some loaded without CSS stylesheets nor images, and some others never loaded (i got the "redirect loop" error in the browser). I wasn't able to build squid 3.2 but I don't know if is necessary to use this version to get this feature of transparent https proxy working. d) Cache performance : Are there any special squid settings that help me to improve or get the maximum performance of my cache? Is SQuid the best open source solution to implement a powerful cache for my users? I hope someone with an extra free time can help with suggestions, ideas or point me to some articles on Internet about these features. Thanks
