On Sat, 22 Apr 2000, Robert P. Fries wrote:
> I'm not really interested in settion up our own ACLs, just the logging of
> where people are going.
>
> Is this possible with Squid (or any other products)? The problem I see is
> that I'd have to point my users to my Squid proxy, so they are not
> authorized to go through the gauntlet one at the corporate level.
>
> I guess I need a totally transparent setup - one that passes each user's
> info to the main Gauntlet firewall, while still performing the logging, etc
> at the local level.
Well, it depends on your goals.
You cannot (easily) intercept requests sent to your corporate firewall, so
you will need the cooperation of either your users, or the corporate
admins (both is best :-) The corporate admins will have to lock down
access from your subnet, except from your Squid proxy. Your users will
have to point to your proxy rather than the corporate one.
Your Squid would have something like this in its squid.conf:
cache_peer firewall.mycompany.com parent 8001 7 default no-query
acl local-external dstdomain www.mycompany.com
acl local-intranet dstdomain .mycompany.com
acl local-intranet dstdomain .mydepartment.mycompany.com
cache_peer_access firewall.mycompany.com allow local-external
cache_peer_access firewall.mycompany.com deny local-intranet
cache_peer_access firewall.mycompany.com allow all
(assuming your company, like mine, made the mistake of using the
mycompany.com domain internally as well as externally, so the ACL goop is
required to distinguish Internet from Intranet :-)
Anyhow, depending on what you want to achieve, this may or may not answer
your requirements. If I were in your shoes, I'd probably talk your
corporate admins in to putting Squid in front of Gauntlet as well.
Cheers,
-- Bert
Bert Driehuis, MIS -- bert_driehuis@nl.compuware.com -- +31-20-3116119
Every nonzero finite dimensional inner product space has an
orthonormal basis. It makes sense, when you don't think about it.
Received on Sat Apr 22 2000 - 18:17:01 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:00 MST