Re: [squid-users] 2 problems with squid

From: Alex Short <alex@dont-contact.us>
Date: Sun, 17 Nov 2002 17:02:56 -0500

Matt,

Are you in control of the client machines? What i did was rolled out an IE6
SP1 migration to the entire company using IEAK (util to create a customized
browser install). During the silent install it upgraded everyone to 6, and
added proxy configuration to proxy.server.com/proxy.pac and locked out the
ability to change the proxy settings. Granted netscape can bypass all
that, but we just did this to test that there wouldn't be major issues of
forcing users through the proxy, after that, we cut off as you suggest port
80 acess unless from the proxy box itself.

Should our proxy machines blow up and we need to let people through the
firewall sans proxy, just point proxy.server to another webserver (i assume
you control your dns servers) and set the proxy configuration script to send
back direct. Using the proxy.pac file gives you the flexibility to put
certain segments to point to one proxy server, and fail to another, and also
tell the browser for some internal hosts not to go through squid.

Alex
----- Original Message -----
From: "Matthew Kaminski" <matthew.kaminski@howick.school.nz>
To: <squid-users@squid-cache.org>
Sent: Sunday, November 17, 2002 4:54 PM
Subject: [squid-users] 2 problems with squid

> Hey everybody, i'll make this as short as possible.
>
> Background: I run Squid 2.4 Stable6 or a RedHar 7.3 (P200 with 196 mb ram
> and 4 GB cache size) box in public college with about 2600 students. As
well
> I run novell 5.1 network and i got squid to authenticate to NDS. It all
> works great except 2 moderate issues.
>
> Problem 1: Users are able to change the proxy settings of the browser,
which
> is very bad, as that way they can basically bypass the proxy. I was
thinking
> that I could disable assess on port 80 from all hosts on my lan, excpet
> squid machine. that will cause that the ONLY way to access the new was
> through the squid machine. Can someone comment on that ??? is that the
right
> way to do it ??? I'm worried there may be some unwanted side effects... is
> that the case ???
>
> Problem 2: I currently have 2 users here, for which the authenticatio
doesnt
> work. I have their username and passwords (for testing purposes). When i
run
> squid_ldap_auth manually, it returns OK for both of them, yet squid fails
to
> authenticate them and give them the access the the net. this is absurd and
i
> need to eliminate it, otherwise i need to keep temporary web-access
account
> which is unacceptable.
>
> thats all. Thanks in advance...
>
> P.S. Squid is the best... i worked with novell border manager and ms-proxy
> and several others.... I cant believe that such a good softwre as squid is
> free.
>
> Matthew Kaminski
> Network Administrator
>
> Howick College
> Sandspit Road
> PO Box 38142
> Howick
> Auckland
>
> Phone: 0-9-534 4492 x850
> Fax: 0-9-534 6574
> Cell: 021 159 6191
> Email: matthew.kaminski@howick.school.nz
>
>
>
>
>
>
Received on Thu Nov 21 2002 - 09:18:14 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:20 MST