The transparent mode of squid is great and works well - UNLESS you need to
know the identity of the user on the client. At that point there are several
options, and some of them APPEAR to work, but don't; for instance,
everything will start up and work OK execept you don't get any blocking or
else you can't see any pages at all.
The method that came closest was to use idents. The ident service is
specified in RFC 1413 and provides a protocol for one computer to query
another as to the identity of a user who is trying to use a service on the
first computer. From the text of the RFC:
This is a connection based application on TCP. A server listens for
TCP connections on TCP port 113 (decimal). Once a connection is
established, the server reads a line of data which specifies the
connection of interest. If it exists, the system dependent user
identifier of the connection of interest is sent as the reply.
...
For this to work, you have to run a little server program on each client.
This is not a big problem, and you can even cause it to happen at every
login using system policies on an NT or SambaPDC network. Then you configure
squid with an acl of type "ident REQUIRED" and use http_access allow or deny
with that acl:
acl idents ident REQUIRED
http_access allow idents
However, if you do this in transparent mode, squid uses the remote web
server ip address as the origin address, instead of using the address of the
server squid is on. As a result, the ident reply tries to go to the remote
server. Whether it gets there or not, the squid server never sees it. I
still think that this is a bug. Some individuals on the squid project
politely disagreed with me, quoting the RESTRICTIONS section of the RFC. At
any rate, this leaves out transparent mode if you want to use ident and vary
or log restrictions by user (as opposed to ip address). Other authentication
scheme fail for other reasons.
One approach which does often work is to use the "autoconfigure" capability
of some web browsers. By "some" I mean Internet Explorer, mainly;
autoconfigure in Netscape 6 is broken (AFAIK) although 4.7 is useable but
different from IE in how it is set up. This also requires you to run a web
server on the squid box. Anyway, you put a file called wpad.dat in the root
of your web server, and in your DNS setup create a CNAME entry to point to
that server. The contents of wpad.dat are a javascript program called
FindProxyForURL, and it can be complicated or simple. A simple example is:
function FindProxyForURL(url, host)
{
if (shExpMatch( host, "<your server name>*"))
return "DIRECT";
if (!isResolvable(host))
return "DIRECT";
//If they have only specified a hostname, go directly.
if (isPlainHostName(host))
return "DIRECT";
if (url.substring(0, 5) == "http:")
return "PROXY <your server name>:3128";
else
return "DIRECT";
}
If you set things up this way, then you can go into IE's
Tools...Options...Connection...Lan prop page and check the box that says
"Automatically detect settings". This is often the default setup anyway. And
that will be enough for the browser to be "transparently" to your proxy
server. (You can set a system policy to set this, too) It isn't enough to
*force* that to happen - to do that, you have to use the NAT rule method
mentioned here before.
Note that the autoconfigure method can be used with other methods of
proxy-authentication, too. However, some of those methods will prompt for an
additional username/password.
Finally, a disclaimer - ident is not a secure way of restricting access via
your proxy. If people can log into your clients as anyone they want or if
they are savvy enough to replace your identd server with one of their own
which always replies with the username "root", then you've been outflanked.
For an elementary school environment, it has worked fine; in fact, I have
even set this up in a home where there was was a lot of activity on hacker
and warez sites occurring and the hacker practioner still hasn't figured out
what's up (I hope he doesn't monitor this group!)
And sorry for the length, I hope someone finds this interesting or can
constructively disagree with it...
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of -=[warthog]=-
Sent: Thursday, March 21, 2002 10:56 PM
To: St John Tech Support
Cc: Squidguard
Subject: Re: Forcing Users to us Proxy
On Tue, 2002-03-19 at 14:33, St John Tech Support wrote:
> Hi, here is what I have, I have a internel network 192.168.1.* I have
about
> 16 students that need to by collage policey use the Squid / SquidGard
Server
> to access the internet, My proxy server also acting as a NAT box between
the
> internet and local network any suggestions would be great
You don't mention the OS being used on the squidGuard box but I do this
all the time.
What I do is have the squid & squidGuard combination running on an
OpenBSD gateway. Clients *must* traverse this gateway to get outside of
their own subnet. Then I use a NAT rule to force all outbound port 80
traffic on protocol TCP to be redirected to the squid port. Squid must
also be configured to act as a transparent proxy. Clients never know
they are being proxied until they get blocked trying to go to a site
that squidGuard doesn't like. There are no changes to make on the
client, and this should work regardless of the client operating systems
being used.
Since the squid box in your environment is already the gateway, you're
already halfway there. Now you just need to set up squid as a
transparent proxy, and add a NAT rule to your configuration (depends on
what OS you are using) and let 'er rip.
