Re: [squid-users] Putting squid-machine on IPcop's router DMZ interface

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 16 Apr 2009 01:14:01 +1200

Donatas Gedvilas wrote:
> Hello,
>
> I am looking for a help and I am not very good in english so sorry in advance:).
> I am a system-network administrator in one company.
> I like open source and I have the task "to control users http
> traffic", my deadline 3 months.
> I refused "Fortigate" and "Astaro" complete comercial products.
>
> I have 110 users at all, but in one office there are about 50 so I
> started there.
>
> As far as I know a little debian, I choosed it and squid as a
> proxy-cache. I installed it on separate machine
> listening on 3128 port, with SNMP enabled and MRTG for monitoring,
> W3Perl for making nice statistics.
> For now I configured 10 users browsers (we use Firefox as the main,
> and IE for specific http) to go through my proxy.
> Everything is working fine because squid handles with real users ip
> addresses, and W3perl output generated from access.log
> looks fine because I made translation Name Surname - users IP address.
> And is easy to change user browser settings to go directly if
> something is wrong with "squid-machine".
> But this configuration is good only for testing purposes.
>
> Users (intermediate level) can easy change browser settings not to go
> through proxy.
> Yes I know there are some methodics how to disable changing such
> settings, but doing this with 40-50 users is not a good idea:)
>
> So I need transparent proxy configuration - in my oppinion.?

Better to prefer WPAD / PAC files if you can. Then browsers just get set
to 'auto detect'.

Also, for better control a port-80 block on the firewall is good to
force use of the proxy.

Only choose intercept to act as a last-choice backup for the stuff where
both the above fails. Capability limits and breakages under intercept
are great.

>
> I am using "IPcop" router firewalling machine for testing purposes one
> year and it works fine in my case.
> (It also have built-in proxy but I don't like it for several reasons,
> very week logs and poor caching capabilities and everything on one
> machine ).
>
> So am planing to put Squid-proxy-macnine in DMZ
> (ipcop's orange interface, as I read from
> http://www.deckle.co.za/squid-users-guide is the best place for
> cache.)
>
> My trusted hosts would be on green network (trusted) and Ipcop
> hand-off's any http 80, ftp 21 and https 443 requests to DMZ (my
> orange) interface
> on squid-proxy-machine listening on 3128 port, and squid then would be
> able to communicate with ISP' cache-servers on the red side with
> UDP-ICP protocol
> for example - am I right?

If you wish. Topology does not matter for what you have described as
your requirements.

>
> The main question is in that configuration my squid-machine would be
> able to autenticate every user traffic going from green and give nice
> outputs with Names Surnames,
> or all users ip's from green would be covered by one orange (DMZ) ip
> and squid-machine wouldn't be able to see nice outputs based on ip's.

#1 limit of interception is no HTTP authentication. There are tricks and
ways around that, but its actualy easier to get your head around
WPAD/PAC than to get side-band auth right.

>
> Also I have www server and planing ftp server to put on DMZ.
>
> Please, advise my how to do the best in that way or give another
> configuration example, because I can't to test this way now in
> practice
> (because my squid-machine is placed in one office and ipcop firewall
> in another (different cities, different branches).
>
> I would be waiting for any help thanks
>

Check through:
   http://wiki.squid-cache.org/ConfigExamples
and see if any of the examples suite you or leads to a good idea.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7
Received on Wed Apr 15 2009 - 13:14:11 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 15 2009 - 12:00:02 MDT