On Tue, 16 Feb 2010 20:53:52 +0100, Christian Weiligmann
<christian.weiligmann_at_weiligmann-net.de> wrote:
> I have a problem,
> I would like to get all my questions from the internal network to the
> internet over squid proxy, with using delegated authentication.
> (SQL,NTLM...).
> Is that possible? I know that the transparency function is not be able
> to authenticate. But what can i do?
> For example: Ipsec Connections, Openvpn connections and many other
> client programs used for internet connections over squid. And i have to
> log all the traffic with ip, username and password.
>
> sorry for this stupid question, but i want to learn.
Well, you can't authenticate against the proxy itself while intercepting
the traffic. But there are all sorts of alternatives.
I recommend the one called WPAD or WPAD/PAC. It uses a PAC (proxy
auto-configuration) file to 'transparently' configure all the network
clients to use the proxy. Any client browser with their network proxy
settings turned to "automatic" will act like a regular proxy client without
any special configuration on the users part. You may use authentication
with these clients!
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers#Fully_Automatically_Configuring_Browsers_for_WPAD
http://wiki.squid-cache.org/Technology/WPAD
From your request I assume that non-login requests are not to be permitted
at all.
With WPAD going you can convert the interception requests into a captive
portal type setup. Where any requests arriving at it get sent to a custom
page (using deny_info and ACL) instructing the user how to setup their
browser to use the WPAD setting.
This may need to be phased in with an IP range ACL slowly expanding across
the network to get clients updating their settings on a controlled gradual
basis. Watching the logs closely for programs which may need special admin
attention for any reason.
Amos
Received on Tue Feb 16 2010 - 21:41:38 MST
This archive was generated by hypermail 2.2.0 : Wed Feb 17 2010 - 12:00:04 MST