On Mon, 23 May 2011 13:55:52 -0500, Brent Norris wrote:
> List,
> I currently have squid setup as an interception proxy in my school
> district. I also have it configured on our static network machines.
> I understand that squid will not work as an interception proxy for
> anything that isn't standard HTTP, according to documentation
> available on the web.
>
> What I was wondering though is if there was a way that I could set my
> Linux server up to accept other kinds of traffic (HTTPS, Streaming
> media) and pass that traffic on without really proxying it, but still
> comparing it against my squidguard lists?
Think about that. Comparing random IP packets against squidguard HTTP
rules.
IP packet handling is a firewall duty. You will have to duplicate your
SG rules in the firewall.
>
> I do a lot of filtering of objectionable sites for our students in
> squidguard and it would be a very big hole to all those sites through
> if the students are using HTTPS to get to them.
>
> I am not really set in any specific way. If someone has a better
> idea about how I should go about it, please feel free to give me any
> pointers that you might have.
We officially recommend using interception as a very *last* resort. It
is dangerous with nasty side effects, just like NAT on which it is
based. You have just noticed one of the security holes.
The recommended network setup has multiple ways software can find its
way to the proxy. WPAD and PAC, local environment variable on fixed
machines.
The details are outlined in the FAQ at
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers
Amos
Received on Tue May 24 2011 - 00:39:43 MDT
This archive was generated by hypermail 2.2.0 : Tue May 24 2011 - 12:00:03 MDT