Avatar of tamray_tech
tamray_tech
 asked on

Need help setting up squid/3.3.8 as transparent proxy AND authentication option

I am working with QLproxy (on a Linux box), which uses squid/3.3.8. I originally set it up with AD/LDAP authentication, which works fine. However, I need to be able to run most clients through the proxy transparently. From experience and docs, a transparent setup breaks authentication, because of browser behavior.

What I would like to set up is to have all transparent traffic run through a strict policy, but give some users the option to configure their browser to use port 3128, so they can be authenticated to use a more relaxed policy. In our scenario, all user will be accessing the squid box via the same subnet, which is the reason for taking this approach.

If this is possible, I will need specific instructions for ACLs, etc....
LinuxWeb Browsers

Avatar of undefined
Last Comment
tamray_tech

8/22/2022 - Mon
gheist

It is protocol limitation and you cannot have proxy authentication on transparent proxy.

Closest you can get to it is serving PAC via WPAD (ask google for examples)
tamray_tech

ASKER
I just want to be sure I communicated my proposed scenario correctly. I fully understand that straight up, transparency proxies do not work with authentication. However, my desired solution would be to run all users through transparently, unless they had manually configured their browser to use port 3128. Is this still an unworkable solution for squid?
gheist

You can even set up WCCP on cisco router and direct all web requests to proxy cache.
Or take one of hundreds of iptables recipes on how to do that (there are some on squid site)
It is completely independent of what squid does with authentication.
Is your internet line overloaded that you need web cache on your side? Maybe you need captive portal?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
tamray_tech

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
gheist

There might be legal issues on intercepting SSL this way, especially dropping financial liabilities on your company.
tamray_tech

ASKER
Its a k12 environment.  All users would be informed and have to agree to a disclaimer if they want access to ssl sites
gheist

Especially when they are not in legal power to do so.... Just take care...
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
tamray_tech

ASKER
Solution provided works for transparent and authenticated traffic. This setup allows a more relaxed policy assigned to authenticated users.