Re: [squid-users] Squid and Mirrored Router Ports

Edward C. Jakosalem wrote:
>> Hi,
>>
>> Edward C. Jakosalem wrote:
>>>> tis 2007-04-17 klockan 20:55 +1000 skrev Edward C. Jakosalem:
>>>>
>>>>> I have posted this same problem before but I want to post it again
>>>>> because
>>>>> I am pressured to make this work with Squid. I know that Squid's use
>>>>> is
>>>>> either an accelerator or proxy or both. But we want Squid to _only_
>>>>> capture web traffic and log them, that's all. As such, I have
>>>>> configured
>>>>> my server to act as transparent proxy.
>>>> I don't quite get what you are trying to do here.. Do you want Squid to
>>>> act as a transparent proxy by intercepting port 80 traffic and have it
>>>> redirected to Squid, or do you just want to audit the port 80 traffic
>>>> without actually touching the packets by just listening on a switch
>>>> mirror/monitor port?
>>> I actully just need squid to act as transparent proxy so I can log
>>> traffic. I don't care how squid will do this, I just need the logs. And
>>> the reason why we use the mirrored port is that we don't want browsing
>>> affected in case this server goes down.
>> So you want Squid to be in the path but don't want it to affect anything
>> if it goes down? That can't be done, unless you can use WCCP to ignore
>> it if it's down. Never played with WCCP so I don't know if it's
>> possible. I've always 'done the right thing' and told my browsers about
>> the proxy!
>>
>>
>>>> The first can be done by Squid, and any of the interception methods
>>>> will
>>>> work. WCCP, Policy routing etc..
>>>>
>>>> The second is not a job for Squid. You need a packet analyzer/auditor
>>>> for this. There is quite many different ones depending on what you are
>>>> looking for..
>>> We specifically need the Squid log format that's why we want to make
>>> this
>>> work with squid. My boss doesn't want it any other way. :-(
>> Why must he have Squid format logs? What's his business reason for
>> having to have them in that format?
>
> I honestly don't know. But the aim is to have a record of our customers'
> browsing activities and retain the logs for 6 months.
>
>> Squid is probably the wrong tool for the job and won't work how you've
>> got it set up now so why not look around at other tools that are
>> designed for the job?
>
> I already did and told him that. I actually have a program called _packit_
> up and running. I also found some other useful ones as well. But
> management said Squid can do it and if I can't make it to work, they will
> seek help from someone who knows how to. Hey, what's a lowly employee like
> me to do? :-(

Well, it seems to have come down to who you trust to know more about the
software: the people who wrote it, or your managers and whoever gave
them the idea that squid was capable.

Without knowing who yoru management are or their experience levels I am
thinking at this point that I have heard this story before. It sounds
like your management are not technical people and have been told by a
contact elsewhere that another business use squid to 'record logs of all
our customers activities' then jumped to conclusions.

Squid _can_ sit between your clients and the web and do it. But it does
need to be in the actual traffic path.

SO, you can take a proposal to your management (maybe with costings) for
a robust set of squid cache(s) to be your gateway to the net, you are in
the best position to know what is needed for your company given that
'cannot fail' requirement you mentioned earlier.

OR, I'm sure between us all we can work up a suitable large quote for
the work it would take a developer to make squid capable of sitting on a
mirror port. (I'll start the bidding randomly at a nice round $500k and
see where that goes if you like ;-).

OR, you can go back to your management with our (developers and expert
users) support for the argument that squid cannot do it in any known
version and get them to supply the source of their 'it can' information
to help you do it. As as side if they actually come up with a source
we'd like to know who's doing it.

Amos
Received on Tue Apr 17 2007 - 13:11:01 MDT