On 23/02/2013 9:47 p.m., Magnus wrote:
I am setting up a Linux machine that will run behind a corporate web proxy with authentication (NTLM and basic) but since I will for development purposes run a lot of different software, VMs etc it is a pain to manage proxy configuration in them all (some programs also have buggy or non existing proxy support and the password in the corporate firewall must be changed regularly making the pain worse). The corporate proxy does not seem to do a very good job in accelerating web traffic either :-( To address these problems I would like to set up a "transparent proxy"
"transaprent proxy" means many different things. What you are talking about here is "transparent interception proxy" or just "interception proxy".
on my own box for my private use that intercepts all http traffic, accelerates it and directs it to the corporate proxy (including performing the authentication with my own user name password) - this way I should only have to set and update it in one place and also solve the other issues at the same time! My question is if it is possible to set up Squid in this way?
Sort of. Yes to all of the above _except_ sending NTLM authentication to the upstream proxy.
Squid can only generate Basic or Negotiate authentication credentials for upstream Proxy-Auth headers. If the corporate proxy were upgraded to Negotiate/Kerberos authentication the Squid sending your credentials would be an option. NTLM is just too complicated with several round-trips of request/reply, nobody can be bothered implementing it (particularly since NTLM is an obsolete and insecure protocol these days).
NTLM and Digest authentication requires the software on your end to generate the credentials and Squid can be configured to relay them to the upstream.
... NP: the proxy generating credentials for you is called "transparent authentication proxy". The relaying of credentials is part of "HTTP transparent proxy".
I already know that it is good at speeding up web traffic and that it can be set up as transparent proxy but I am not sure if it could be done on a single machine as described or if it can redirect traffic to another proxy that sits between it and internet? If it is possible how hard would it be? Are there some guides I could use? I know a bit about networking but is not a guru by any means...
I think you want to look at DHCP or software auto-configuration (otherwise known as "transparent configuration") to push out a PAC file using WPAD settings. A lot of software will pick up the proxy details from the PAC file and use the proxy without any manual configuration needed.
The http://wiki.squid-cache.org sevice seems to be down as of right now. When it comes up take a read through http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers for the best way to configure Squid. Even if you go with interception proxy for most of the traffic you should have a forward-proxy port configured anyway for the objects which are served directly out of Squid.
Amos
