[squid-users] Basic questions about Squid capabilities

From: Jason Voorhees <jvoorhees1_at_gmail.com>
Date: Sun, 20 May 2012 11:47:03 -0500

Hi people:

I'm a squid user since long time ago but my skills -I believe- aren't
so high to implement some of the feature I'm asking for in this
e-mail.

In a university there are 6000-8000 users (they are divided in a big
campus through different VLANs, offices even metro-ethernet connected
branchs) browsing Internet through two lines of 80 and 70 mbps.
Currently there's a fortinet appliance doing the labor of web
filtering with some interesting feature I'd like to implement with
Squid too. These are the pros and cons about fortinet:

cons
====
- It doesn't have a cache (at least not an effective one)
- When fortinet implement too much bandwidth rules (something like
squid delay pools) it begins to work slowly and the browsing becomes
slow too.

pros
====
- It has a feature to transparently block https websites. The fortinet
admin told me that only for blocked webpages users get a warning of a
incorrect certificate (a fortinet digital certificated) but for
allowed websites users don't get any warning of failing digital
certificates (i don't know if this is true or possible).
- Its web filtering its good, it has a up to date database of
categorized websites to do an easy blocking.

What I plan to do is (or what I'd like to do):

- Put Squid in front of fortinet so this one can use squid's cache. I
read this is possible using WCCP and some other things.
- Squid should work as a replace of fortinet if this one someday
fails. So squid is the backup solution to replace fortinet.

So to achieve this I think I need:

a) Do a good filtering : I was thinking about configure Squid +
SquidGuard with a free database, but I have here a simple and basic
question: When I use a redirector like Squidguard... all Squid ACLs
will definitely stop working? I mean, can I use a redirector and still
use my traditional ACLs (acl, http_access, http_reply_access)? Last
time I used a redirector with Squid I appreciated that all ACLs
weren't even read by Squid so I have this doubt.

b) Integrate fortinet with WCCP : I rapidly saw a few tutorials of how
to do that but... have you achieve this without problem?

c) Do transparent https proxy with squid : I tried to use https_port +
ssl-bump feature of Squid 3.1 and iptables (REDIRECT 443 port to 3128)
without 100% success. I generated my own certificate and that one is
the same users get when trying to view some websites (i.e.
facebook.com) what is OK but it happened that some websites didn't
work as expected: some website loaded OK, some loaded without CSS
stylesheets nor images, and some others never loaded (i got the
"redirect loop" error in the browser). I wasn't able to build squid
3.2 but I don't know if is necessary to use this version to get this
feature of transparent https proxy working.

d) Cache performance : Are there any special squid settings that help
me to improve or get the maximum performance of my cache? Is SQuid the
best open source solution to implement a powerful cache for my users?

I hope someone with an extra free time can help with suggestions,
ideas or point me to some articles on Internet about these features.

Thanks
Received on Sun May 20 2012 - 16:47:10 MDT

This archive was generated by hypermail 2.2.0 : Tue May 22 2012 - 12:00:04 MDT