[squid-users] half of a transparent proxy question I guess.....

This is a bit of a odd duck, but....

The university I work for has a bunch of library pages that can only be
accessed from on campus as they are hosted off site and authenticated by
IP address. However, they want currently enrolled students to be able
to use those pages from off campus as about 30% of our students live off
campus these days.

I said Bah this is easy, squid to the rescue! And rescue it did (by the
way thanks so much for it!). But a new problem has surfaced. The users
don't ever turn their proxy settings off. Some are uninformed, some
think the Internet will break without this on, and some think it is
faster to proxy to us. They are all wrong of course, but alas... So my
squid box is at times eating up most of our bandwidth from people who
are not using it at all the way it should be used. I said "Screw it"
and boosted the cache size. Performance improved dramatically.

Now a new beast has come out and dragged the last one with it. We have
some students studying in Spain who want to use the pages. I gave them
the standard "Configure it for the proxy" email, but they are using
access at the local Internet cafe which will not (for good reason) give
them the rights on the local system to reconfigure the proxy settings.
Then my bosses boss says "Hey U of I has their library pages setup with
a transparent proxy some how. Can we do it like that?" I have yet to
see proof that this works as advertised...

Basically what they want from me is when people click the link to access
the resource in question it will flip the system into a transparent
proxy mode for IP address not in range A, prompt for a username/password
and sit man in the middle. For systems in range A they want it to do
what it does now - nothing. U of I has said they are using EasyProxy to
do this. It seems silly to me to pay for a baby proxy system when I
could use Squid.

So, to the question at hand: Are there some docs some where I could
read to figure out how to man in the middle some traffic, but not
others. And make the traffic I pick on login?

My ideas thus far involve basically, use iptables PREROUTING to push
traffic at "IP not A" through squid, but this doesn't make me
authoritative for their DNS and these people are off site so I can't
exactly make myself their default gateway. Even if I could (some how?),
it would require transparent proxy auth which is impossible if my
understating of how stuff works is valid (which it might not be). My
understanding of the problem makes it impossible to perform, but you are
greater proxy experts than I...

Wow, you got all the way down here... dang....

I will accept vaguely half formed, partially coherent theories just to
keep my own mental gears turning. Anything at all you could contribute
would be tremendously helpful (this includes, the proposed task is
impossible proofs as well, but sadly I would need a strong argument to
hand up the chain as they look at me funny when I say this doesn't sound
possible).

Pat
Received on Tue May 15 2007 - 13:35:26 MDT