?
Solved

"Broadcasting" a proxy address from Red Hat 8 Server

Posted on 2006-04-17
4
Medium Priority
?
482 Views
Last Modified: 2010-03-18
We have web filter software running on a Red Hat 8 server.  For the filtering to work, we have to go into IE and Firefox on each machine and change the settings to use a proxy server address.  However, if the user knows how to change it back to "auto", they bypass the filter.  What I want to do is have all users go through the filter then turn off Internet access unless they go through the proxy first.  Is there a way to "broadcast" the proxy address and port from the Linux server without having to go to each person's machine?  Currently, we are going to each machine and specifiying the proxy and port in LAN settings.  It seems like this would not allow them to surf outside of our network.  I.e., if they took their laptop home.  Plus, it is time consuming to go to each machine and change these settings.
0
Comment
Question by:shannon_adams
  • 2
4 Comments
 
LVL 27

Expert Comment

by:Nopius
ID: 16473973
There is a way to setup 'auto' proxy address.

For doing that, you need:
- DHCP server (optional)
- all machines configured as having same domain suffix (this can be done via DHCP)
- DNS server (it should be owner of master zone of your domain, it may be local domain suffix)
- Apache server
- basic knowledge of JavaScript.

It's a good starting point: http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

Common steps are:
1) Configure your DNS, add 'wpad' host entry, pointing to your apache
2) Configure your apache WEB server, add wpad.yourdomain.com virtual host
3) Create javascript file wpad.dat and place it to the root directory of wpad.yourdomain.com. Your proxy address will be there.
4) Configure apache to provide content-type 'application/x-ns-proxy-autoconfig' for file wpad.dat



0
 
LVL 19

Accepted Solution

by:
Gabriel Orozco earned 2000 total points
ID: 16474457
shannon_adams:

what you need in order to avoid users to bypass the proxy is the "transparent proxy" feature of squid.

first you need to redirect ALL outgoing http requests from tcp/80 to port 3128 (where squid listen) with:
iptables -t nat -A PREROUTING -p tcp -i $LAN  --dport 80 -j REDIRECT --to-port 3128
($LAN should be replaced by your lan interfase: eth0 or eth1 or whatever it is)

then in squid be sure you add this rules:
    * httpd_accel_host virtual
    * httpd_accel_port 80
      (or whatever port you want to proxy)
    * httpd_accel_with_proxy on
    * httpd_accel_uses_host_header on


well, I found a goodhowto:
http://www.linuxdevcenter.com/pub/a/linux/2001/10/25/transparent_proxy.html

and this is a quick howto:
http://www.tldp.org/HOWTO/TransparentProxy.html
0
 
LVL 19

Expert Comment

by:Gabriel Orozco
ID: 16474471
one more thing...

upgrade your system!!! RedHat 8 is out of support, and being a rpm based distro, it's more dificult to maintain that boxes secure.

Regards
0
 
LVL 5

Expert Comment

by:ranadastidar
ID: 16485927
one simple xp based solution i can tell u, just go to run under xp and type mmc it ll open one window then go to file and click on Add/RemoveSnap in, then add Grouppolicy. then choose
user configuration and then windows components and then click on internet disable connection tab as well as select proxy option in this way user wont be able to change the proxy setting.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question