asked on
Need help setting up squid/3.3.8 as transparent proxy AND authentication option
I am working with QLproxy (on a Linux box), which uses squid/3.3.8. I originally set it up with AD/LDAP authentication, which works fine. However, I need to be able to run most clients through the proxy transparently. From experience and docs, a transparent setup breaks authentication, because of browser behavior.
What I would like to set up is to have all transparent traffic run through a strict policy, but give some users the option to configure their browser to use port 3128, so they can be authenticated to use a more relaxed policy. In our scenario, all user will be accessing the squid box via the same subnet, which is the reason for taking this approach.
If this is possible, I will need specific instructions for ACLs, etc....
What I would like to set up is to have all transparent traffic run through a strict policy, but give some users the option to configure their browser to use port 3128, so they can be authenticated to use a more relaxed policy. In our scenario, all user will be accessing the squid box via the same subnet, which is the reason for taking this approach.
If this is possible, I will need specific instructions for ACLs, etc....
LinuxWeb Browsers
Last Comment
tamray_tech
ASKER
I just want to be sure I communicated my proposed scenario correctly. I fully understand that straight up, transparency proxies do not work with authentication. However, my desired solution would be to run all users through transparently, unless they had manually configured their browser to use port 3128. Is this still an unworkable solution for squid?
You can even set up WCCP on cisco router and direct all web requests to proxy cache.
Or take one of hundreds of iptables recipes on how to do that (there are some on squid site)
It is completely independent of what squid does with authentication.
Is your internet line overloaded that you need web cache on your side? Maybe you need captive portal?
Or take one of hundreds of iptables recipes on how to do that (there are some on squid site)
It is completely independent of what squid does with authentication.
Is your internet line overloaded that you need web cache on your side? Maybe you need captive portal?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
There might be legal issues on intercepting SSL this way, especially dropping financial liabilities on your company.
ASKER
Its a k12 environment. All users would be informed and have to agree to a disclaimer if they want access to ssl sites
Especially when they are not in legal power to do so.... Just take care...
ASKER
Solution provided works for transparent and authenticated traffic. This setup allows a more relaxed policy assigned to authenticated users.
Closest you can get to it is serving PAC via WPAD (ask google for examples)