On 04.07.2012 15:54, Ezequiel Birman wrote:
"Eliezer" == Eliezer Croitoru <eliezer@xxxxxxxxxxxx> writes:
<snip>
No problem, I've used bind before. Sorry to ask this on squid-users
but
did anyone try pdnsd (http://members.home.nl/p.a.rombouts/pdnsd/),
pdns-recursor, dnsmasq (not sure if it caches/recurses), djbdns,
dnrd,
unbound, yadifa or others? I ask because maybe a full-blown DNS
server
is not needed this time.
I'm aware of people using dnsmasq, djbdns and pdnsd. Have not heard of
the others, thank you for the tidbits.
The resolver does not matter as long as it performs recursive DNS
properly. Both Squid and the client will be sending it DNS packets as
their interface.
>>
>> > using this setup you can test settings very easily on part
of
>> the > clients or test computer.
>>
>> > for network usage analysis you can use ntop, it also gives
p2p
>> and > other protocols detection.
>>
>> I am trying it right now, nice!
>>
>> > so the setup i propose is not from your list:
>>
>> > 5) wan1---+--------+ +------------+ | >
>> RV042 |---|squid\bridge|--switch-+--[lan clients] >
>> wan2---+--------+ +------------+
>>
>> > - RV042 = LB and wan gatway. - squid = brdige + NTOP + p2p
>
>> block\throttling + http cache
>>
>> Thanks, I am giving it a try.
>>
>> I'll start by following
>>
>>
http://wiki.squid-cache.org/ConfigExamples/Intercept/DebianWithRedirectorAndReporting
>>
> this is a good way to start but it wont be a transparent proxy
but
> a "nat" proxy but it can be good for your needs as anyway you
have
> nat in the RV042.
Are you sure? The only mention to nat in is in order to redirect port
80
to 3128 on squid box. This is the intro:
Yes. There are 4 protocol layers involved.
ebtables - rules stops it being a bridge "transparent relay/proxy" and
makes it routed traffic.
iptables - rules use NAT (interception proxy) instead of TPROXY
(transparent proxy).
squid - config file uses URL-rewriters to prevent Squid being a HTTP
protocol "transparent proxy" (HTTP definition of "transparent proxy" is
the Squid default behaviour).
There is a lot of people confused by the meaning of the word
"transparent". With good reason, it has been used out of context so
much.
"This document (based on this article[1] with some updates and
additions) explains how to put into production a Bridge device
running a
Squid interception web proxy on a Linux Debian 6 system. Since the
proxy
is performing transparent interception, LAN users are able to surf
the
web without having to set manually the proxy address in their
browser.
This document also details how to set up a few useful features such
as
web filtering (via Squirm) and usage monitoring (via SARG).
First of all, you need a Linux box with two network interfaces that
we'll set up as a bridge. We'll assume that eth0 is connected
downstream
to the LAN, while eth1 provides upstream access to the Internet."
>> which seems similar to what i am trying to achive. If I am
>> mistaken, please let me know.
>>
>> and also most of http://wiki.squid-cache.org/Features/Tproxy4
> tproxy will ggive you the benefit of some graphing tools with a
> more accurate vision on your clients requests.
> update me
> Regards, Eliezer
>>
>> > things you should consider about pfsense and ClearOS: - they
do
>> > have nice web interface but lack updated software. - they
take
>> up > from your machine more then you need. - they leave you
in
>> the big > cloud of "what to h### happen when i did apply???"
>>
>> > about accessing the squid in this setup the box is behind
nat
>> so > it's ok and if you will every decide that you want the
squid
>> to > take over the RV042 LB and dhcp you can just use iptables
to
>> block > access to squid port or bind squid only to local net
port
>> and > of-course the basic way of acls to allow only local
users
>> access.
>>
>> > about content filtering: i prefer to use squidguard and not
>
>> danshguardian. there always the option of using some icap
server
>> > such as qlprpxy.
A quick google search tends to favor dansguardian. Why do you prefer
squidguard? Is it still being developed?
SG is an internal helper. Access controls are written in squid.conf
only. Squid passes it a limited amount of data to work with and
manipulates the HTTP request based on the response.
DG is a proxy separate from Squid. With access controls being written
in one or the other, sometimes both.
Amos
