[squid-users] Squid applying acls differently when transparent & non transparent proxy

From: Andrew Wood <andrew_at_perpetualmotion.co.uk>
Date: Wed, 4 Sep 2013 15:40:54 +0100

My Squid proxy which is being used to prevent access to inappropriate sites and to display a session splash / AUP page to public visitors on the public wifi VLAN subnet works great when transparently intercepting traffic via NAT/ iptables but intermittently fails to block stuff when the client is set to explicitly use the proxy. Does Squid see the source or dest Ip differently in this case?

Is it possible to block squid from accepting stuff which hasnt been transparently intercepted so clients cant manually set the proxy to circumvent the acls?

If I block non transparently intercepted traffic i have a further issue...
I need to allow https through squid somehow and as I understand there are 3 ways to do it:

1. Transparently intercept port 443 with Bump client first man in the middle

2. Configure clients to explicitly use the proxy for https via a CONNECT tunnel

3. Transparently intercept port 443 with bump server first & dynamic certificate generation

Option 1 is ruled out as visitors will be spooked by the browser warnings

Option 2 requires the client to be explicitly configured, which with BYOD means a PAC file set via DHCP or DNS, but this is problematic with many browsers and means Squid will need to accept non transparently intercepted traffic and as mentioned at the start this is causing problems with the acls

Option 3 is promising but how transparent is the dynamic cert generation? Do browsers still need to be configured to accept our gateway as a CA or is the remote server cert passed through verbatim?

Hope this makes sense Ive experimented with many things but its looking increasinly like im going to have to block non intercepted stuff (how?) and go with option 3

Many thanks
Andrew

Sent from iPhone
Received on Wed Sep 04 2013 - 14:41:28 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 05 2013 - 12:00:04 MDT