On 26/06/2012 4:19 p.m., Markus Thüs wrote:
Dear all,
I need to implement a Proxy Solution that works as following:
1. Proxy should be implementable without any changes on the net, it should just
replace the router
Aka You are now required to perform an MITM attack on your clients.
Otherwise known as traffic interception proxy.
2. Proxy should log any traffic in a logfile with username, ip and connected
site, should work for http, ftp, https.
* HTTP supports MITM attacks / interception.
* FTP protocol inbound is not supported by Squid at all.
* HTTPS is designed to prevent MITM attacks / interception.
However, see the notes at the end of this email.
3. Users should authenticate at the proxy before they’ll be granted any access
to the internet. How ? Users are required to open the webbrowser, type in any
page, be redirected to a landing page where they’re required to type in their
username and password, that’s going to be checked from LDAP if correct they’ll
granted internet access (that might work with mac-address ⇔ ip address ⇔
username coupling) after that combination changes the user is required to
relogin.
Has anyone any idea how to actually Implement that in a system ?
Search for information on "Captive Portal".
Here is some info on the splash page with Squid
http://wiki.squid-cache.org/ConfigExamples/Portal/Splash
If you want to do it with MAC addersses I suggest getting the squid-3.2
beta series code. It has quite a few enhancements around EUI-48 (aka
"MAC") address handling.
BUT, it is a better idea to avoid that (1) requirement and setup
auto-config. Clients capable of auto-detecting the proxy using it
explicitly will have HTTP, FTP and HTTPS and other services that can
tunnel over HTTP proxy available through it. As a bonus this will enable
your clients to use real HTTP authentication.
http://wiki.squid-cache.org/ConfigExamples/Portal/ZeroConfUpgrade
details how to easily bootstrap your network from a no-proxy or
transparent-proxy environment into an auto-configured proxy environment.
Amos
