RE: [squid-users] Transperent Proxy

Anant,

I've been using Squid/WCCP for transparently proxying about 800 PCs for a
while now - you have to dig about for all the correct bits, but it's very
slick when you finally get it right. My config is:

- Redhat 7.2 with minimum packages
- 2.4.18 kernel with v1.3 source for ip_wccp.c from:
http://www.squid-cache.org/WCCP-support/Linux
(if you run the 2.4.18 WCCPv2 patch from
http://squid.visolve.com/developments/wccpv2.htm first, it sets up all the
config makefile and help hooks so you can see it in menuconfig)
- squid2.5STABLE3 with the visolve_wccpv2-s2_5.patch from:
http://devel.squid-cache.org/projects.html#visolve_wccpv2
- squidGuard 1.2.0 (using Berkeley DB 3.3.11 for the blacklist database) -
If you have to implement a Corporate Internet Usage policy, this is very
fast and flexible
- iptables 1.2.8 userspace utilities and a single redirection:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
- OpenSSH, webmin
- Cisco routers with IOS 12.1T

I've only arrayed up to 4 PCs (Compaq 350 through 1.4 with 256-512MB) at a
time to test the load balancing features and more importantly the ability to
pull a box without getting loads of complaints, but I'm sure there are
others out there who have done more and can comment further about
limitations etc (Henrik probably).

I only looked at WCCP as an interrim stopgap because of the problems with
maintaining/supporting manual configurations across 15+ locations, 2
Internet links, proxy-sensitive IEAK-hating software like Tarantella, and
proxy.pac functions like myipaddress() breaking on some Win2k machines (.NET
I think) but these squid boxes are now some of the lowest maintenance
systems we have. I use a standard config which handles configured clients on
port 3128 and transparently proxies any other port 80 traffic at the same
time.

The only funny that I've found with it is that on one of my routers where
I'm intercepting outgoing browser traffic that arrives already tunnelled,
I've had to use route maps to clear the DF bit on return (Internet->private)
traffic because the combination of GRE and WCCP seems to cause outgoing ICMP
Clear DF messages even if I try clamping my firewall MTU down to 576 (I
didn't leave it there!) ...and because outgoing ICMP from a privately
addressed router relating to NATed browser traffic is next to useless on the
Internet

I'd be happy to send you some more detail, but my build notes are over 50
pages and climbing, and IMHO this is one area you need to struggle a little
to get it up and running, or you will never know where to start if things go
wrong

Regards

Phil DG

-----Original Message-----
From: anant shintre [mailto:adshintre@yahoo.com]
Sent: 18 July 2003 17:51
To: squid-users@squid-cache.org
Subject: [squid-users] Transperent Proxy

Squid is running O.K.
Presently I get access log only of those clients where
I have changed proxy settings. It is not possible to
go to all machines and change the same. I thing I can
use transperent proxy for some. Squid FAQ does not
give information about transperent proxy. Please
suggest me some good documentation for the same for
Linux 8, Squid 2.5 combination.
Thanks

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com

________________________________________________________________________
This e-mail has been scanned for all viruses by Star Internet. The service
is powered by MessageLabs. For more information on a proactive anti-virus
service working around the clock, around the globe, visit:
http://www.star.net.uk
________________________________________________________________________

Confidentiality Notice
This communication and the information it contains:
(a) is intended for the person(s) or Organisation(s) named above and for no other persons or organisations and,
(b) may be confidential, legally privileged and protected by law.
Unauthorised use, copying or disclosure of any of it may be unlawful.
When addressed to our clients any opinions or advice contained in this e-mail are subject to CCRE's terms and conditions of business notified to the client or expressed in the governing client engagement letter.
If you receive this communication in error, please notify us immediately, destroy any copies and delete it from your computer system.
Received on Fri Jul 18 2003 - 18:24:03 MDT