LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 02-12-2008, 02:48 PM   #1
strick1226
Member
 
Registered: Feb 2005
Distribution: CentOS, Fedora, OS X, SLES, Ubuntu
Posts: 273

Rep: Reputation: 51
Squid Proxy Questions - Transparent Without NAT?


Hello, Everyone,

I'm interested in setting up a decent box (pentium D 3.4 GHz, 4GB RAM) to provide web caching for about 50 users at a site.

My distro of choice is CentOS 5.1, as I've been using it for my samba servers and VMware hosts.

The configuration of our network may cause some issues in doing this, however:

Separately-managed router (external public IP)
|
|
our LAN
(192.168.1.0/24)

Since we can't modify our router settings to intercept outgoing HTTP requests and forward them to a separate proxy server, I was wondering if this would work...


I've already set up a local CentOS 5.1 box providing DHCP services (in addition to hosting a few VM's) on the 192.168.1.0 network.

Could I set up a separate machine, move the DHCP services to it, and use squid on it in order to process the http requests?

i.e. have the DHCP server hand out the squid box as the default gateway for all clients, and have this same DHCP box pass all traffic to the true gateway--except for filtering http traffic?


Separately-managed router (external public IP)
|
|
"true" gateway (192.168.1.1)
|
|
dhcp+squid box (192.168.1.5)
| (default gateway of workstations, uses "true" gateway for itself)
| (passes all traffic--except for http requests, which go to squid)
|
|
workstations (192.168.1.50-254)




If this is possible, how would I go about doing it?

I've managed to create a non-transparent proxy, and configured a single box's IE and Firefox to use it as the proxy server. It worked pretty quickly, and management also likes the idea of being able to blacklist certain non-work-related sites for all users.

I guess I'm not completely sure if both NIC's on the DHCP+squid box can be on the same network and/or how it would work.

Placing the clients in a separate network breaks their communication with the AV server--otherwise I would not be trying this nonstandard configuration.

Has anyone else tried doing this sort of thing? If not, does anyone have any pointers for me?

I've looked through these examples pretty thoroughly, over and over again, but haven't been able to make this idea work yet...

http://www.cyberciti.biz/tips/howto-...iguration.html
http://www.cyberciti.biz/tips/linux-...uid-howto.html
http://www.faqs.org/docs/Linux-mini/...rentProxy.html
http://ubuntuforums.org/showthread.php?t=375319
http://www.linuxhomenetworking.com/w...ess_with_Squid

I think the link above at the ubuntuforums is closest to what I'm trying to do, but my brain hurts At this point I can't even manage to tell the difference between bridging and routing--and I should know better, lol.

Any advice, or personal experience in this area that could be shared would be greatly appreciated!!!

Thanks in advance.
 
Old 02-12-2008, 03:30 PM   #2
ARC1450
Member
 
Registered: Jun 2005
Location: Odenton, MD
Distribution: Gentoo
Posts: 290

Rep: Reputation: 30
For starters, look at Option 252 on DHCP; it's for WPAD and can be used to configure your clients for a proxy web address. All that has to be done is that they "automatically detect network settings", IIRC.

Another option is to have your network guy block outgoing port 80 from all the clients, then only allow it from your proxy server. Sledgehammer to kill a flea approach, but it works.

Keep in mind, in an MS AD environment, you can force GPO to make IE look for WPAD config scripts.

The problem with making a transparent proxy is that it's technically hijacking traffic, and can break some things. The better thing to do is make a non-transparent proxy, put it off on your network somewhere, and just point the clients to that. It's much easier and won't cause so many headaches, either. Not to mention, you won't have to worry about any SSL traveling over the box, and people could get fairly unhappy, for example, if they find out their banking info is being cached on a server somewhere.

I realize that doesn't really answer your questions the way you'd probably like, but it's a suggestion that'll keep most happy.
 
Old 02-13-2008, 08:30 AM   #3
strick1226
Member
 
Registered: Feb 2005
Distribution: CentOS, Fedora, OS X, SLES, Ubuntu
Posts: 273

Original Poster
Rep: Reputation: 51
Hi, ARC1450,

Wow--thanks for the info! The WAPD option sounds like the best way to go, so I'll give that a shot.

I thought squid didn't cache SSL by default... guess I better research it a bit more.

Again, thanks for the information--it's given me hope...
 
Old 02-13-2008, 08:40 AM   #4
ARC1450
Member
 
Registered: Jun 2005
Location: Odenton, MD
Distribution: Gentoo
Posts: 290

Rep: Reputation: 30
Well, let me put it this way; you and I know Squid can be configured to no cache SSL, but your users have no clue. Invariably, one of them has an idiot geek friend that will say your company caches everything due to using a proxy, and you can see where that goes. :-(

And not a problem. I realize that it didn't say much about transparent proxies, but in all actuality, like I said, that can break things because you're technically hijacking traffic.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Squid Transparent Proxy SBN Linux - Server 6 07-11-2007 04:54 AM
Bandwith limitations, NAT and transparent proxy ilnli *BSD 1 02-20-2006 01:48 PM
Squid as a transparent proxy kemplej Linux - Software 2 12-08-2004 06:00 PM
Squid Transparent Proxy 1jamie Linux - Security 7 09-26-2003 07:09 AM
squid transparent proxy...... hitesh_linux Linux - Networking 1 06-13-2003 04:24 AM


All times are GMT -5. The time now is 01:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration