On 20/05/2012 19:47, Jason Voorhees wrote:
Hi people:
I'm a squid user since long time ago but my skills -I believe- aren't
so high to implement some of the feature I'm asking for in this
e-mail.
In a university there are 6000-8000 users (they are divided in a big
campus through different VLANs, offices even metro-ethernet connected
branchs) browsing Internet through two lines of 80 and 70 mbps.
Currently there's a fortinet appliance doing the labor of web
filtering with some interesting feature I'd like to implement with
Squid too. These are the pros and cons about fortinet:
cons
====
- It doesn't have a cache (at least not an effective one)
- When fortinet implement too much bandwidth rules (something like
squid delay pools) it begins to work slowly and the browsing becomes
slow too.
squid can implement both of them but it depends on the hardware that is
hosting squid.
basic 4 cores with 8gb ram can basically do the job for you.
the users are not much of measurement size but a requests per second and
bandwidth throughput together.
pros
====
- It has a feature to transparently block https websites. The fortinet
admin told me that only for blocked webpages users get a warning of a
incorrect certificate (a fortinet digital certificated) but for
allowed websites users don't get any warning of failing digital
certificates (i don't know if this is true or possible).
- Its web filtering its good, it has a up to date database of
categorized websites to do an easy blocking.
What I plan to do is (or what I'd like to do):
- Put Squid in front of fortinet so this one can use squid's cache. I
read this is possible using WCCP and some other things.
- Squid should work as a replace of fortinet if this one someday
fails. So squid is the backup solution to replace fortinet.
it depends on the outgoing ip address and on interception level.
in basic interception mode you can use fortinet as a cache_peer.
So to achieve this I think I need:
a) Do a good filtering : I was thinking about configure Squid +
SquidGuard with a free database, but I have here a simple and basic
question: When I use a redirector like Squidguard... all Squid ACLs
will definitely stop working? I mean, can I use a redirector and still
use my traditional ACLs (acl, http_access, http_reply_access)? Last
time I used a redirector with Squid I appreciated that all ACLs
weren't even read by Squid so I have this doubt.
a url_rewrite is what you will use and all the acls will work the same way.
you can bypass the url_rewrite with acls... so to speak.
b) Integrate fortinet with WCCP : I rapidly saw a few tutorials of how
to do that but... have you achieve this without problem?
what exactly do you want to achieve by using WCCP? what benefits from that?
c) Do transparent https proxy with squid : I tried to use https_port +
ssl-bump feature of Squid 3.1 and iptables (REDIRECT 443 port to 3128)
without 100% success. I generated my own certificate and that one is
the same users get when trying to view some websites (i.e.
facebook.com) what is OK but it happened that some websites didn't
work as expected: some website loaded OK, some loaded without CSS
stylesheets nor images, and some others never loaded (i got the
"redirect loop" error in the browser). I wasn't able to build squid
3.2 but I don't know if is necessary to use this version to get this
feature of transparent https proxy working.
to use ssl-bump you use a different port then 3128 and specifically for
ssl-bump.
there was a bug somewhere that makes a loop like that and i think that
the cause is redirecting 443 to 3128 instead to ssl-bump port.
try it again and you will see miracles :]
d) Cache performance : Are there any special squid settings that help
me to improve or get the maximum performance of my cache? Is SQuid the
best open source solution to implement a powerful cache for my users?
I hope someone with an extra free time can help with suggestions,
ideas or point me to some articles on Internet about these features.
there are some opensource cache options but squid is the most advanced
one that i have seen and used.
it's very simple to config compared to many other solutions that exists
and even compared to a paid ones.
for dynamic content you can add an instance of squid2.7satble9 patched
to cache also youtube and some other sites that wont be cached due to
their dynamic links behavior,
if you need some more help dont be afraid to ask.
good luck,
Eliezer
Thanks
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il