Search squid archive

Re: squid as general tcp proxy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hey James,

Squid is a very bad choice for your scenario.(if I understood it right)
Handling lots of connections in the TCP level only should be done using a proxy software that knows how to handle these efficiently.

Squid indeed has a very nice acl language that allows one to use it pretty easily and a proxy that can do that and also handle more protocols is not known to me yet in the form of an open source software.
I know many will like it.

There was a software called pCache which was suppose to give p2p caching and used to use tproxy to intercept all connections and then identify them by p2p structure etc. You can try to use the basic structure of this software if you want to write your own proxy.

In any way when you are using an intercept or transparent proxy setup you can only use couple ways to authenticate the clients:
- radius server(via wifi login,ppp etc..)
- strict login internal page against a DB or raidus+mysql
- others creative ways.

It depends on your needs to think about the right solution for you.

As I understand you want to do a small thing like driving from one side of the street to the other but you want to use the SWAT(squid) for that.

There are many creative ways to allow authentication and authorization while still using iptables\fw.
For some it's easy to implement and others not..

Eliezer

On 07/18/2014 11:11 AM, James Harper wrote:
True, but squid has the advantage of a very nice acl and permission infrastructure, rather than defining one set of rules for squid and another for iptables (which can't authenticate by identd afaik)

Using a https_port with transparent and ssl_bump none works - all connections are just plumbed straight through. The only issue is when the destination port is unreachable - then squid returns an error page which is going to be completely unexpected by the client unless it is expecting http. I assume that's an issue when just using https_port for actual ssl too though.

James






[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux