Re: [squid-users] Transparent & ident

From: Leo Mrafko <leo@dont-contact.us>
Date: Fri, 3 Aug 2001 22:48:07 +0200 (CEST)

On Fri, 3 Aug 2001, Adrian Chadd wrote:

> Ident and transparent proxying don't mix.
> The ident protocol identifies a connection by supplying the remote
> and local port numbers for the client to return a username for.
>
> In a non-transparent setup, the following happens:
>
> * client issues request to proxy
> * proxy issues ident request on the above request connection to client
> * client returns ident information
>
> In a transparent setup, the following happens:
>
> * client issues web request to some web server
> * proxy snarfs web request
> * proxy issues ident request on the above request connection to client
> from its own IP
> * client notes that its got no connection to the proxy IP, and (rightly!)
> doesn't return any ident information.
>
> There are ways around it, but squid doesn't support any of them, and they
> are very very evil and particular about the network setup.
> (it involves squid pretending to be the IP of the web server when issuing
> the ident request, and it relies on the clients ident requests going through
> the squid server which picks off ones to intercept..)
>
> Why don't you use some other form of authentication?
> You'd still get your username logging via basic auth, ntlm auth ..
>
>
> Adrian
>

Thanks very much for exhaustive answer. Maybe I should extend my question
a bit: O my local network Windows users get authenticated against Samba
server. I'd like to have minimum setup tasks on the Windows boxes with
maximum performance. I could use proxy.pac autoconfig from my www-server,
i have it already configured, but I find transparent proxy to be more
beutiful. It is a school network, so I need to log pupils activities. But
I don't want to bother users with any more password checking beyond
windows network logon. Can this be done using ntlm auth ? Maybe I could do
some more automated setup using Samba's netlogon scripts - it could write
something into windows registry, some setup for Explorer (possibly mostly
used) etc. Btw. don't you know what does Explorer's "Automatically detect
setting" option mean ?

Thanks,

--
 Leo Mrafko
Received on Fri Aug 03 2001 - 14:48:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:28 MST