Re: [squid-users] Content filtering, password-bypass & client configuration.

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 20 Feb 2009 22:31:27 +1300

Stroller wrote:
> Many, many thanks for your reply, Amos.
>
> It took me some days to follow up your comments, and I have been reading
> the Squid documentation you referred me to in the last week. It seems
> very good, however I have a couple of questions.
>
>
> On 4 Feb 2009, at 05:13, Amos Jeffries wrote:
>> Stroller wrote:
>>>
>>> With transparency, the machine has two NICs and everything goes
>>> through it, right?
>>
>> Maybe no, maybe yes. Transparency, Interception, and NICs are not
>> related.
>> http://wiki.squid-cache.org/ConfigExamples/Intercept
>>
>>
>>> But if it's not transparent then it's just another IP on the LAN (??)
>>> and that has to be entered into Internet Explorer's configuration
>>> options. I can block outgoing connections to port 80
>>> (except those made by the Squid box) at the ADSL router, and because
>>> all the PCs are in a Windows domain I can use Policies to set that on
>>> all clients. However this stitches up 2 or 3 laptop users - if I
>>> force them to proxy through 192.168.4.2 then they won't be able to
>>> surf the net when they take their laptops home (where there is no
>>> proxy at that address).
>>
>> The solution is to do the above for permanent machines. And try WPAD
>> for the laptops and guest machines.
>> http://wiki.squid-cache.org/Technology/WPAD
>
>
> I initially read this as "the solution is to use interception for
> permanent machines and WPAD for laptops and guests".
> I think this has led me to make things more complicated than necessary,
> but I am still curious about such a configuration.

Sorry, what I meant by the above was the second part of what you said.
"if I force them to proxy through 192.168.4.2".
So, the manual proxy configuration for the permanent machines. Not
transparent.
And WPAD for those 2-3 laptops. WPAD can even be installed locally and
written to detect what network the laptop is on. So you get away from
any DNS/SHCP issues.

>
> We have a common /24 LAN with gateway 192.168.1.1, Squid running on
> 192.168.1.42 and various desktop PCs 192.168.1.100 - 200. Can we
> redirect at the gateway so that when a desktop PC sends a packet with a
> port 80 destination, the gateway redirects the packet to port 3128 of
> the Squid proxy, which is on the same ethernet switch as the PCs, all on
> the LAN side of the router?
>

Yes, possible thats basic interception. But you needed auth to work,
yes? Thats why we stuck with the WPAD option for roaming laptops.

> Sorry if I explain this question badly. I am unclear whether the
> interception examples using iptables are intended for sites trying to
> proxy in front of their own webservers (I think this is done to reduce
> load on dynamic sites, eg those that use PHP) or whether they are
> intended for sites like mine, trying to force proxying on the users.

All the wiki ConfigExamples/Intercept/* are for ISP or enterprise
gateway type situations, where traffic can be diverted through squid.
The website accelerator ones are in a different section
(ConfigExamples/Reverse/*).

>
> The difference between these two scenarios is that packets approach the
> router from "different sides". If one proxies for one's own webserver
> then the router receives packets on the WAN port & redirects then to the
> LAN. In my example the packets are sent to the LAN port of the router &
> redirected to another machine, also on the LAN - they use the same
> interface, doesn't this cause collisions?

If not done right, yes.

> Also, doesn't the Squid
> machine think the packets are originating from the router and not the
> desktop PC? Someone else has asserted this to be the case, and I am
> unable to answer.

Only if NAT is done on the router rather than policy-routed first before
NAT on the squid box.

>
> Stepping back from this confusion for a moment, I think the thing to do
> for my scenario is to block all outgoing port 80 connections at the
> router, except those initiated by the Squid machine. Then use WPAD /
> Windows domain rules to point to the the Squid proxy.

Yes, that was what I meant initialy. Sorry for the confusion.

>
> Regarding ACLs: is it possible to have certain sites unrestricted, and
> only ask users for a password if they want to access sites that are not
> on that list?

Yes. The config looks like:

  acl okSites dstdomain .example.com
  http_access allow localnet okaySites
  http_access deny localnet !loggedIn
  http_access allow localnet
  http_access deny all

>
> Blimey! My head is melting. Sorry if my questions are ill-formed, and
> many thanks for the help you have already given,
>
> Stroller.
>

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5
Received on Fri Feb 20 2009 - 09:31:16 MST

This archive was generated by hypermail 2.2.0 : Fri Feb 20 2009 - 12:00:01 MST