Link to home
Start Free TrialLog in
Avatar of tamray_tech
tamray_tech

asked on

Need help setting up squid/3.3.8 as transparent proxy AND authentication option

I am working with QLproxy (on a Linux box), which uses squid/3.3.8. I originally set it up with AD/LDAP authentication, which works fine. However, I need to be able to run most clients through the proxy transparently. From experience and docs, a transparent setup breaks authentication, because of browser behavior.

What I would like to set up is to have all transparent traffic run through a strict policy, but give some users the option to configure their browser to use port 3128, so they can be authenticated to use a more relaxed policy. In our scenario, all user will be accessing the squid box via the same subnet, which is the reason for taking this approach.

If this is possible, I will need specific instructions for ACLs, etc....
Avatar of gheist
gheist
Flag of Belgium image

It is protocol limitation and you cannot have proxy authentication on transparent proxy.

Closest you can get to it is serving PAC via WPAD (ask google for examples)
Avatar of tamray_tech
tamray_tech

ASKER

I just want to be sure I communicated my proposed scenario correctly. I fully understand that straight up, transparency proxies do not work with authentication. However, my desired solution would be to run all users through transparently, unless they had manually configured their browser to use port 3128. Is this still an unworkable solution for squid?
You can even set up WCCP on cisco router and direct all web requests to proxy cache.
Or take one of hundreds of iptables recipes on how to do that (there are some on squid site)
It is completely independent of what squid does with authentication.
Is your internet line overloaded that you need web cache on your side? Maybe you need captive portal?
ASKER CERTIFIED SOLUTION
Avatar of tamray_tech
tamray_tech

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
There might be legal issues on intercepting SSL this way, especially dropping financial liabilities on your company.
Its a k12 environment.  All users would be informed and have to agree to a disclaimer if they want access to ssl sites
Especially when they are not in legal power to do so.... Just take care...
Solution provided works for transparent and authenticated traffic. This setup allows a more relaxed policy assigned to authenticated users.