Re: [squid-users] Re: Force connection to squid

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 08 Jan 2011 04:07:39 +1300

On 08/01/11 04:01, mpnordland wrote:
> On 01/06/2011 11:27 PM, Amos Jeffries wrote:
>> On 07/01/11 15:54, mpnordland wrote:
>>> The tricky thing is, is that this is all on one computer, squid is a
>>> proxy for the computer it is installed on, the idea of it all is to
>>> track the urls that the users visit. Authentication is necessary so that
>>> one user's log isn't mixed with another's. And just so you know, this
>>> isn't spyware.
>>>
>>
>> Not much difference to a proxy on a router. Just use the user-PID
>> instead of source client IP in your firewall rules around port 80.
>> For example the squid user ID is allowed port 80 access but all others
>> are not. WPAD is used to point at 127.0.0.1 as the proxy IP.
>>
>> And yes WPAD and the *nix global http_proxy environment variable are the
>> only ways to get authentication in a proxy without configuring it
>> directly into the browser.
>>
>> Amos
>
> Ok, I like this because it makes sense, I am pretty sure I can figure
> out how to setup iptables to only allow squid, how should I set up WPAD
> on my setup, and why 127.0.0.1?
>

127.0.0.1 (or ::1 in IPv6) are completely internal to the box so are not
speed limited by things like external MTU size, TCP queues or external
firewall rules. They also protect Squid a lot more against remote access.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.10
   Beta testers wanted for 3.2.0.4
Received on Fri Jan 07 2011 - 15:07:45 MST

This archive was generated by hypermail 2.2.0 : Fri Jan 07 2011 - 12:00:02 MST