A Linux Based Proxy Server
Hello,
I'm looking for a proxy server that runs on Linux that uses a user authentication. I have only ever set up Proxy Servers in a windows environment. I've looked around on Google and 90% of my google searches were pulling in how to set your IPTables and Routes on linux to do your proxy.
Other then that the other information was about Apache and squid. Squid looked nice, but I couldn't see if it supported a user authentication or not. Then Apache proxy looked to be more for the webserver of apache then a really proxy server.
See I'm wanting to move our proxy traffic off our internal network and put the server on one of our off-site servers. This way we free up more bandwidth in our VPN. the usernames and passwords define what sites (if any) they are allowed to browse too.
Any advise is really helpful. Not sure why this got classified as "Virus & Spyware" when I told it just plain Secruity >> Internet Security
I'm looking for a proxy server that runs on Linux that uses a user authentication. I have only ever set up Proxy Servers in a windows environment. I've looked around on Google and 90% of my google searches were pulling in how to set your IPTables and Routes on linux to do your proxy.
Other then that the other information was about Apache and squid. Squid looked nice, but I couldn't see if it supported a user authentication or not. Then Apache proxy looked to be more for the webserver of apache then a really proxy server.
See I'm wanting to move our proxy traffic off our internal network and put the server on one of our off-site servers. This way we free up more bandwidth in our VPN. the usernames and passwords define what sites (if any) they are allowed to browse too.
Any advise is really helpful. Not sure why this got classified as "Virus & Spyware" when I told it just plain Secruity >> Internet Security
ASKER
Well I was not planning on doing any authentication to Microsoft AD. See we have 32 remote location, those locations only have 2 computers at them (except 1 which is a branch office and has 30 computers none of which are proxy restricted, the others are retail stores). We only lock down internet is because the computers are in a retail stores for our Point of Sales software and keeping it locked down prevents the employee's from goofing off on facebook, myspace, email, ect and not doing there job.
By default all staff members are only allowed access to 20 sites outside the internal networ. These are sites that they all have to visit often for training and such. Randomly I have to add a new allowed site into the proxy or take one out because of new training procedures or something. Because of this programming in a deadend proxy address and filling the allowed urls in the proxy bypass in the browsers settings is just no way a doable solution. Since that would mean modifying 62 computers to make the change.
The Mangers and Facilities need open access when they are at the stores and they need it often. This creates tons of traffic on our VPN which slows down the over performance of our network. This is why I want to move the proxy server to a wan destination not a lan destination.
Hope that clears this up.
By default all staff members are only allowed access to 20 sites outside the internal networ. These are sites that they all have to visit often for training and such. Randomly I have to add a new allowed site into the proxy or take one out because of new training procedures or something. Because of this programming in a deadend proxy address and filling the allowed urls in the proxy bypass in the browsers settings is just no way a doable solution. Since that would mean modifying 62 computers to make the change.
The Mangers and Facilities need open access when they are at the stores and they need it often. This creates tons of traffic on our VPN which slows down the over performance of our network. This is why I want to move the proxy server to a wan destination not a lan destination.
Hope that clears this up.
So the overall goal is to reduce the amount of traffic coming into your HQ network....
If I read correctly... Each branch (32 of them) has internet service with a VPN tunnel back to the HQ. The PCs at the branch need to be restricted so that they have access to only an approved set of websites. However, managers need full access with no restrictions. You would like this to be centrally managed as well.
It sounds as if you will need some sort of authentication to tell the difference between a manager and normal staff so the right level of access can be provided.
With all that understood... have you considered a Group Policy solution? If all the machines are running the same version of IE, then you should be able to create a GPO to only allow "approved" websites. GPO can be centrally managed at the DC and pushed out to all machines on logon.
http://www.windowsecurity.com/articles/Restricting-Specific-Web-Sites-Internet-Explorer-Using-Group-Policy.html
Here's a question... Are the site's VPN tunnels running split tunnel configs where network traffic is VPN'd but public traffic is not?
If I read correctly... Each branch (32 of them) has internet service with a VPN tunnel back to the HQ. The PCs at the branch need to be restricted so that they have access to only an approved set of websites. However, managers need full access with no restrictions. You would like this to be centrally managed as well.
It sounds as if you will need some sort of authentication to tell the difference between a manager and normal staff so the right level of access can be provided.
With all that understood... have you considered a Group Policy solution? If all the machines are running the same version of IE, then you should be able to create a GPO to only allow "approved" websites. GPO can be centrally managed at the DC and pushed out to all machines on logon.
http://www.windowsecurity.com/articles/Restricting-Specific-Web-Sites-Internet-Explorer-Using-Group-Policy.html
Here's a question... Are the site's VPN tunnels running split tunnel configs where network traffic is VPN'd but public traffic is not?
ASKER
Group Policy will no work either because the remote computers are not on the domain (we tired doing it this way in the past, but cause major problems when they couldn't login because internet or the VPN went down. So they couldn't use the POS software), and they all use the same login. Which is why I'm looking for a simple proxy server software for linux that can do a basic whitelist and then user authentication for anything outside the white list.
Yes the VPN connection is done in via our ActionTec GT724R's ADSL Routers at the remote locations are setup with split tunnels. the private IP range is sent into the HQ via
Yes the VPN connection is done in via our ActionTec GT724R's ADSL Routers at the remote locations are setup with split tunnels. the private IP range is sent into the HQ via
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Actually we already have 6 servers that are colo which i was planning on putting the proxy server on and they all run CentOS.
So quid would do a white list with simple authentication then for anything beyond the whitelist?
So quid would do a white list with simple authentication then for anything beyond the whitelist?
With Squid, there is a huge community with plenty of examples....
A quick search of the squid Wiki got me these:
http://wiki.squid-cache.org/Features/Authentication
http://www.linux-faqs.com/Forum/viewtopic.php?t=28
if you use blocking by ip range:
https://www.experts-exchange.com/questions/24465513/SQUID-How-to-restrict-access-to-certain-websites-for-certain-users.html
General help:
http://fixunix.com/squid/
Just google it and youll find lots of hits....
A quick search of the squid Wiki got me these:
http://wiki.squid-cache.org/Features/Authentication
http://www.linux-faqs.com/Forum/viewtopic.php?t=28
if you use blocking by ip range:
https://www.experts-exchange.com/questions/24465513/SQUID-How-to-restrict-access-to-certain-websites-for-certain-users.html
General help:
http://fixunix.com/squid/
Just google it and youll find lots of hits....
Squid can be setup to use ldap (microsoft AD) for authentication.... A quick search yielded many hits with HOW TO links.
i.e. http://www.cyberciti.biz/tips/howto-configure-squid-ldap-authentication.html
But before you run off and look at squid... Think about the ramifications of moving your proxy offsite. I think this move would actually increase traffic across your wan link.
Consider the following:
1) While internal, all authentication is on the inside network. External, all that traffic must now flow outside the WAN... plus you open your LDAP server to the public? Never a good idea.
2) Proxy servers can also function (to an extent) as a caching engine so that the same web page is pulled down once by the proxy, then multiple clients use the proxy cache to load the page instead of going outbound to load the same graphics multiple times.
3) All web requests will now need to leave the network to get to the proxy anyway and the proxy must return the pages to the client across the WAN. What's the difference between the proxy delivering pages vs. the real server delivering pages?
4) This adds a level of complication to the service I don't think is needed.