Re: [squid-users] CHALLENGE super complex proxy scenario. There must be a practical way! commercial solution?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 27 Oct 2009 01:30:37 +1300

Andres Salazar wrote:
> Greetings,
>
> The goal is to manage a LAN of 50-100 users dynamically controlling
> with access list the sites each user can see, and the ones they cant.
> I also need a simple way of controlling their internet route so that
> they can be changed to use different IPs from different peer proxies
> around the world (which i already have). All of this done 100%
> transparent to the user, all config must be able to be dynamically
> changed via the server level. Current services used by the users are:
> Port 80, Port 443, and port 21 and a messenger XML port.
>

After reading the requirements below I reach the conclusion that the way
you will have to do this is a mix of WPAD/PAC and firewall settings.

WPAD is a pain to get started but will PAC-configure the browsers in the
background without users being aware of the exact settings.

PAC can be as simple or complex as you like, with multiple proxies an
failovers configured based on things like the client IP or destination
hostname.

http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers

Firewall gets thrown into the mix to either outright deny port 80/443/21
access. Or if you like to NAT intercept port 80 to a proxy. This latter
handles naive software updaters etc, while placing extra annoyance
limits on people who try to bypass the proxies.

http://wiki.squid-cache.org/ConfigExamples/Intercept

> Dilemmas:
>
> a.) Squid cannot proxy/forward SSL in tranparent mode. So what are my
> options? Forward port 80 through a different protocol perhaps a VPN
> just for port 443 so that the particular user originates his/her
> requests from the IP i want it to be. Not to mention that not all
> users would be using the same src IP for port 443 so that at least I
> would have to manage 4-5 different tunnels the way I see it?
>

maybe. PAC resolves the HTTPS problem by making the browser aware that
it must wrap the HTTPS.

> b.) Squid cannot use the FTP protocol to upload files. Thus I would
> need to install on all the remote routes another true FTP compliant
> proxy.

maybe. PAC resolves this for web apps by informing browsers that they
are to pass it off to the proxy.

native FTP clients you will still need some proxy. frox is the one we
recommend as its purpose-built for this.

>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Why I need this to be 100% transparent:
>
> No user should ever be allowed to surf the internet with their local
> IP all communication should be proxied to a specific route so no
> bypassing allowed thus the need for a FORCED transparent proxy.
>
> My users have a number of different browsers installed ranging from
> opera, firefox, IE... besides they have applications that manage
> updates that would also need to have the proxy configured such as
> AntiVirus software, Anti Spyware. There are ways to automatically
> config brwosers but what about ftp clients, virus and adware software?
>

The good anti-virus/malware apps I've seen all can pull their proxy
settings from IE.

FTP clients are rare though. FTP is not a naturally proxied protocol.

> We have sites that my users need not be proxied/vpned out because they
> are in the same location. So aside from configuring each proxy in the
> browsers stuff like a LAN CRM woudl have to be configured as
> exceptions.
>
> Not all users will use the same proxy, there would be at least 5
> possible routes so internal routing must be done.

PAC resolves this by allowing you to set the decision logic out for each
client if need be.

> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> So, all of this is resumed into two proxy software combined with
> tunnels/vpns. Even if this is done like I suggest I think network
> diagnostics/maintenance would be *very* time consuming.. Would you
> guys agree?
>
> Is there any commercial solution/open source solution that can do what
> I want in a combo way? Btw due to the nature of SSL i dont expect to
> have allow lists or deny lists but it should in a way proxy it so that
> i can set custom src IPs per user.
>
> --Andres

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
   Current Beta Squid 3.1.0.14
Received on Mon Oct 26 2009 - 12:30:45 MDT

This archive was generated by hypermail 2.2.0 : Mon Oct 26 2009 - 12:00:02 MDT