Re: [squid-users] Content filtering, password-bypass & client configuration.

From: Stroller <Linux.Luser_at_myrealbox.com>
Date: Fri, 20 Feb 2009 08:28:24 +0000

Many, many thanks for your reply, Amos.

It took me some days to follow up your comments, and I have been
reading the Squid documentation you referred me to in the last week.
It seems very good, however I have a couple of questions.

On 4 Feb 2009, at 05:13, Amos Jeffries wrote:
> Stroller wrote:
>>
>> With transparency, the machine has two NICs and everything goes
>> through it, right?
>
> Maybe no, maybe yes. Transparency, Interception, and NICs are not
> related.
> http://wiki.squid-cache.org/ConfigExamples/Intercept
>
>
>> But if it's not transparent then it's just another IP on the LAN
>> (??) and that has to be entered into Internet Explorer's
>> configuration options. I can block outgoing connections to port 80
>> (except those made by the Squid box) at the ADSL router, and
>> because all the PCs are in a Windows domain I can use Policies to
>> set that on all clients. However this stitches up 2 or 3 laptop
>> users - if I force them to proxy through 192.168.4.2 then they
>> won't be able to surf the net when they take their laptops home
>> (where there is no proxy at that address).
>
> The solution is to do the above for permanent machines. And try WPAD
> for the laptops and guest machines.
> http://wiki.squid-cache.org/Technology/WPAD

I initially read this as "the solution is to use interception for
permanent machines and WPAD for laptops and guests".
I think this has led me to make things more complicated than
necessary, but I am still curious about such a configuration.

We have a common /24 LAN with gateway 192.168.1.1, Squid running on
192.168.1.42 and various desktop PCs 192.168.1.100 - 200. Can we
redirect at the gateway so that when a desktop PC sends a packet with
a port 80 destination, the gateway redirects the packet to port 3128
of the Squid proxy, which is on the same ethernet switch as the PCs,
all on the LAN side of the router?

Sorry if I explain this question badly. I am unclear whether the
interception examples using iptables are intended for sites trying to
proxy in front of their own webservers (I think this is done to reduce
load on dynamic sites, eg those that use PHP) or whether they are
intended for sites like mine, trying to force proxying on the users.

The difference between these two scenarios is that packets approach
the router from "different sides". If one proxies for one's own
webserver then the router receives packets on the WAN port & redirects
then to the LAN. In my example the packets are sent to the LAN port of
the router & redirected to another machine, also on the LAN - they use
the same interface, doesn't this cause collisions? Also, doesn't the
Squid machine think the packets are originating from the router and
not the desktop PC? Someone else has asserted this to be the case, and
I am unable to answer.

Stepping back from this confusion for a moment, I think the thing to
do for my scenario is to block all outgoing port 80 connections at the
router, except those initiated by the Squid machine. Then use WPAD /
Windows domain rules to point to the the Squid proxy.

Regarding ACLs: is it possible to have certain sites unrestricted, and
only ask users for a password if they want to access sites that are
not on that list?

Blimey! My head is melting. Sorry if my questions are ill-formed, and
many thanks for the help you have already given,

Stroller.
Received on Fri Feb 20 2009 - 08:28:34 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 20 2009 - 12:00:01 MST