We help IT Professionals succeed at work.

Need help setting up squid/3.3.8 as transparent proxy AND authentication option

tamray_tech
tamray_tech asked
on
8 Comments
1 Solution
2,859 Views
Last Modified: 2014-06-04
I am working with QLproxy (on a Linux box), which uses squid/3.3.8. I originally set it up with AD/LDAP authentication, which works fine. However, I need to be able to run most clients through the proxy transparently. From experience and docs, a transparent setup breaks authentication, because of browser behavior.

What I would like to set up is to have all transparent traffic run through a strict policy, but give some users the option to configure their browser to use port 3128, so they can be authenticated to use a more relaxed policy. In our scenario, all user will be accessing the squid box via the same subnet, which is the reason for taking this approach.

If this is possible, I will need specific instructions for ACLs, etc....
Comment
Watch Question

View Solution Only

gheist
Top Expert 2015

Commented:
It is protocol limitation and you cannot have proxy authentication on transparent proxy.

Closest you can get to it is serving PAC via WPAD (ask google for examples)
tamray_tech

Author

Commented:
I just want to be sure I communicated my proposed scenario correctly. I fully understand that straight up, transparency proxies do not work with authentication. However, my desired solution would be to run all users through transparently, unless they had manually configured their browser to use port 3128. Is this still an unworkable solution for squid?
gheist
Top Expert 2015

Commented:
You can even set up WCCP on cisco router and direct all web requests to proxy cache.
Or take one of hundreds of iptables recipes on how to do that (there are some on squid site)
It is completely independent of what squid does with authentication.
Is your internet line overloaded that you need web cache on your side? Maybe you need captive portal?
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
gheist
Top Expert 2015

Commented:
There might be legal issues on intercepting SSL this way, especially dropping financial liabilities on your company.
tamray_tech

Author

Commented:
Its a k12 environment.  All users would be informed and have to agree to a disclaimer if they want access to ssl sites
gheist
Top Expert 2015

Commented:
Especially when they are not in legal power to do so.... Just take care...
tamray_tech

Author

Commented:
Solution provided works for transparent and authenticated traffic. This setup allows a more relaxed policy assigned to authenticated users.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.

View Solution