I am working with QLproxy (on a Linux box), which uses squid/3.3.8. I originally set it up with AD/LDAP authentication, which works fine. However, I need to be able to run most clients through the proxy transparently. From experience and docs, a transparent setup breaks authentication, because of browser behavior.
What I would like to set up is to have all transparent traffic run through a strict policy, but give some users the option to configure their browser to use port 3128, so they can be authenticated to use a more relaxed policy. In our scenario, all user will be accessing the squid box via the same subnet, which is the reason for taking this approach.
If this is possible, I will need specific instructions for ACLs, etc....
Closest you can get to it is serving PAC via WPAD (ask google for examples)