RE: [squid-users] Squid and Firewall rules from GG BB on 2004-03-01 (squid-users)

From: GG BB <gbbc2004@dont-contact.us>
Date: Mon, 1 Mar 2004 17:41:50 +0100 (CET)

So I guess mine is not the 'standard' architecture for
a NAT-VPN and Proxy ...
Maybe the best solution would be keep them separate,
and setting up a box that act 'only' as a Proxy ?

could someone provide their own experience in HOW and
"WHERE" build a Proxy on a NET having a
NAT-Firewall-VPN that is already working ?!

thanks all :)

--- Mark Cooke <mpc@star.sr.bham.ac.uk> ha scritto: >
On Mon, 2004-03-01 at 12:01, Elsen Marc wrote in
> reply to:
> >
> >
> > > -- iptables -t nat -A PREROUTING -i eth1 -p tcp
> > > --dport 80 -j REDIRECT --to-port 3128 --
> > >
> > > But with this rule in, I get that all users,
> even if
> > > they don't set their Browsers to use a Proxy,
> can surf
> > > the WEB withouth being authenticated by Squid,
> but
> > > passing through the Proxy anyway (in fact I can
> see
> > > them on my Access.log file)
> > >
> > > what I wish to do is to set the Squid or
> Firewall
> > > settings to impose a Squid Authentication even
> if my
> > > users don't set their Browsers to use a Proxy,
> so
> > >
> > > USER1 Browser-configured --> Authentication =
> Allowed
> > >
> > > USER2 NoBrowser-configured --> Authentication or
> ERROR
> > > You are not allowed to ...
> > >
> > You can't at least in in the squid context :
> >
> >
>
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.15
>
> But the workaround is to setup the redirect to a web
> server you control
> that explains how to setup the browser to use your
> proxy, instead of
> trying to transparently direct it to squid.
>
> Ie, --to-destination as well as --to-port (so you
> don't have to run a
> web server on your firewall).
>
> iptables -t nat --dport 80 -j REDIRECT
> --to-destination
> my.proxyinstruction.server --to-port 80
>
> When you setup the web server, just map all URLs to
> the proxy setup
> instructions (because iptables can't change the
> requested URL). If you
> have an machine running as an existing web server,
> just use a different
> port number and a virtual host, or similar.
>
> Cheers,
>
> Mark
>
> --
> Mark Cooke <mpc@star.sr.bham.ac.uk>
>

______________________________________________________________________
Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus, il filtro Anti-spam
http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/
Received on Mon Mar 01 2004 - 10:16:05 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:01 MST