Search squid archive

Re: Transparent Proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



El 07/08/13 16:02, Roman Gelfand escribió:
Is there a way I could control access to various sites based on user
irregardless of workstation they are on?  All in transparent proxy.

Thanks in advance

I did this a long time ago.

I had a terminal server, so all the users came from the same IP.
I did an ident authentication.

ident is a simple (and very old) protocol.
1. A client with clientIP/ connects from sourcePort to ProxyIP/ProxyPort
2. Ident helper in squid asks clientIP who was the user connecting from SourcePort to ProxyPort 3. ident daemon (or service in windows) replies with the username in plain text.

Problems:
* Some antivirus in the clients can see the ident service as a security threat * Because ident is a very old and insecure protocol, you need to be the only admin in the clients so you can trust the ident answer. * There are a lot of fake ident services for windows. They answers allways with the same username. You need a real ident. * When using transparent proxy there's some NAT involved so the client doesn't really connect to proxyIP/ProxyPort. You need and ident NAT handler in your server. * Because of the nat handling, the nat and the proxy should be in the same server (usually the default gateway for the clients) * I did this a long time ago, so I don't remember how to workaround the NAT problem. All I remember is that is possible.

If the clients are windows logged in a domain I think you can also try ntlm






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux