On 23/02/2013 9:47 p.m., Magnus wrote:
I am setting up a Linux machine that will run behind a corporate web
proxy with authentication (NTLM and basic) but since I will for
development purposes run a lot of different software, VMs etc it is a
pain to manage proxy configuration in them all (some programs also
have buggy or non existing proxy support and the password in the
corporate firewall must be changed regularly making the pain worse).
The corporate proxy does not seem to do a very good job in
accelerating web traffic either :-(
To address these problems I would like to set up a "transparent proxy"
"transaprent proxy" means many different things. What you are talking
about here is "transparent interception proxy" or just "interception proxy".
on my own box for my private use that intercepts all http traffic,
accelerates it and directs it to the corporate proxy (including
performing the authentication with my own user name password) - this
way I should only have to set and update it in one place and also
solve the other issues at the same time!
My question is if it is possible to set up Squid in this way?
Sort of. Yes to all of the above _except_ sending NTLM authentication to
the upstream proxy.
Squid can only generate Basic or Negotiate authentication credentials
for upstream Proxy-Auth headers. If the corporate proxy were upgraded to
Negotiate/Kerberos authentication the Squid sending your credentials
would be an option. NTLM is just too complicated with several
round-trips of request/reply, nobody can be bothered implementing it
(particularly since NTLM is an obsolete and insecure protocol these days).
NTLM and Digest authentication requires the software on your end to
generate the credentials and Squid can be configured to relay them to
the upstream.
... NP: the proxy generating credentials for you is called "transparent
authentication proxy". The relaying of credentials is part of "HTTP
transparent proxy".
I
already know that it is good at speeding up web traffic and that it
can be set up as transparent proxy but I am not sure if it could be
done on a single machine as described or if it can redirect traffic to
another proxy that sits between it and internet?
If it is possible how hard would it be? Are there some guides I could
use? I know a bit about networking but is not a guru by any means...
I think you want to look at DHCP or software auto-configuration
(otherwise known as "transparent configuration") to push out a PAC file
using WPAD settings. A lot of software will pick up the proxy details
from the PAC file and use the proxy without any manual configuration needed.
The http://wiki.squid-cache.org sevice seems to be down as of right now.
When it comes up take a read through
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers for the best
way to configure Squid. Even if you go with interception proxy for most
of the traffic you should have a forward-proxy port configured anyway
for the objects which are served directly out of Squid.
Amos
