Re: [squid-users] Transparent Proxy

From: Alfredo Rezinovsky <alfrenovsky_at_gmail.com>
Date: Thu, 08 Aug 2013 08:38:47 -0300

El 07/08/13 16:02, Roman Gelfand escribió:
> Is there a way I could control access to various sites based on user
> irregardless of workstation they are on? All in transparent proxy.
>
> Thanks in advance
>
I did this a long time ago.

I had a terminal server, so all the users came from the same IP.
I did an ident authentication.

ident is a simple (and very old) protocol.
1. A client with clientIP/ connects from sourcePort to ProxyIP/ProxyPort
2. Ident helper in squid asks clientIP who was the user connecting from
SourcePort to ProxyPort
3. ident daemon (or service in windows) replies with the username in
plain text.

Problems:
* Some antivirus in the clients can see the ident service as a security
threat
* Because ident is a very old and insecure protocol, you need to be the
only admin in the clients so you can trust the ident answer.
* There are a lot of fake ident services for windows. They answers
allways with the same username. You need a real ident.
* When using transparent proxy there's some NAT involved so the client
doesn't really connect to proxyIP/ProxyPort. You need and ident NAT
handler in your server.
* Because of the nat handling, the nat and the proxy should be in the
same server (usually the default gateway for the clients)
* I did this a long time ago, so I don't remember how to workaround the
NAT problem. All I remember is that is possible.

If the clients are windows logged in a domain I think you can also try ntlm
Received on Thu Aug 08 2013 - 11:38:57 MDT

This archive was generated by hypermail 2.2.0 : Thu Aug 08 2013 - 12:00:14 MDT