Server :: Squid With Transparent OR Authentication Options?
Mar 3, 2010
I have a squid server set up with two ports:
http_port 3128 transparent
http_port 3129
Port 3128 is set up for transparent proxying (ie, if you send a request to the internet, iptables forwards it to 3128) Port 3129 is just a regular port. If you connect to 3129 directly, you get prompted for a password:
Code:
auth_param basic program /usr/lib/squid3/ncsa_auth /etc/squid/squid.passwd
auth_param basic children 2
auth_param basic realm Squid proxy-caching server
acl password proxy_auth admin
http_access allow password
And this is actually working also. If someone signs then they are able to access unrestricted browsing (with squidguard). However, if they don't, they are transparent-proxied and have restricted browsing. The problem is I keep getting /var/squid/cache.log hits:
Code:
2010/03/03 17:11:04| ACHChecklist::authenticated: authentication not applicable on transparently intercepted requests. Basically evertime there's a transparent request, it throws a warning.
to configure squid as a non-transparent proxy? I understand https cannot be filtered using squid as a transparent proxy. So i need to find out how to configure squid for https filtering.
I have installed and tried both squid version as transparent proxy but they just don't work.
I have eth0 which is where my internet comes in and eth1 which is my local network 192.168.1.0/255.255.255.0.
My default firewall policy is to drop input output and forward, i have already set my firewall to accept and workout the squid and it is working.
Here is the relevant rules i have on my firewall:
Code:
Here is the sample conf i am using for squid:
Code:
Always_direct allow all When using version 2.7.x i was able to make it transparent when i used the below rules:
Code:
I readed the Docs on the squid page but the above rules can't be reproduced to 3.1 and i don't wish to use such rules to make it transparent or hidden so i want some help to figure out why it inst transparent.
I am using Fedora 9, I have compile the squid with source code, i also deleted the old RPM of squid. i then edited the squid.conf in /usr/local/squid/etc and set http_port 3128 transparent and allowed in my acl to my local network but the transparent proxy is not working. if i remove transparent proxy then squid works fine. when i try to make it transparent the squid access.log file does not show any request coming to it (no activity). i have also forwarded all the incoming traffic to squid port 3128. Can anybody tell me why my transparent proxy is not functional.
I want to make a transparent squid proxy server in centos. The squid proxy version is 2.6 stable. I made a normal squid server but want to make it transparent so that users do not need to enter the proxy settings in web browser. Even i searched about this on google but not getting it properly.I have two lan cards on centos system. ETH1 used for LAN and ETH2 used for WAN. And in this squid.conf i written "http_port 172.16.31.1:3128 transparent" and i also added a rule in iptables which is "iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128" but still i have to enter proxy settings at client's web browser to use internet
I would like to install and configure Transparent squid proxy on a gateway server ,but i dont have a local OR intranet DNS server.I am facing issues do that ,regard .My IP series is 192.168.1.1/24
can anyone give me the solution how to configure dansguardian on squid transparent proxy.i m using linux - slackware squid - squid-2.6-stable18 dansguardian - 2.10.1.1
what i need, I got two servers for about 4000 users and 300 servers and well the guy never setup dns caching right, so im redoing it. Now my goals
1) DNS cache 2) Transparent Squid Cache only 3) Load Balance - at switchlevel
Upgraded Hardrives to SSD 2x32gb each server 4gb of ram 2x Dell poweredge 850's - p4 2.8 (single cores) So any advise , pointers , expeirnces and best ways to do this being both server will do both dns caching and squid! Also is bind9 the best for this?? i seen stuff about DNSmasq what performs better( i dont need DHCP)
I'm using a Debian box as a gateway. I'm planning on bridging my DLink 604T modem/router so that traffic on the LAN goes to my gateway (which only has one NIC). The Debian box is running a PPPoe application which I'm hoping to log into the ISP through the DLink. I plan to configure the box as a squid transparent proxy. Most Howtos I've seen use NAT with 2 NICs, eth0 for the LAN and eth1 for the Internet. Any step-through to set up NAT for this?
this setup makes squid authenticate both the employees and admin network. how can i make squid just authenticate only the employees network? admin network should connect to squid without authentication.
If users are a memebr of a certain AD group, they are granted access to the web. I have this working but there is a glitch. I have to restart squid everytime I add or remove a user from the active directory group for the change to kick in. I could set up cron to restart squid every x amount of minutes but that is no good. see settings
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes
[code]...
Any work arounds for this. I need to able to add an AD user to an AD group so they can have instant access to the web without me having to restart squid
I have a squid server currently running with basic authentication. This is a must because we constantly have different people using different machines but the rules must be set per user, not per machine.
We also have a lot of users coming and going. So every time a new user comes to the office I have to manually create a user for him so he can authenticate.
Anyway.. We do not have any windows servers so no Active Directory. But I need some solution to pass the windows login to Squid.
First question: It seems I am using NTLM currently for samba as the person can map their home directories on their windows box withuot authenticating. Why can I not use it for squid?
Second question: Can I make my Centos server into an AD server?
I'm fairly new to Linux and very new to Squid and am having authentication issues! I am using Oracle Enterprise Linux (which is basically Red Hat without the branding) and wanting to use Squid Proxy Server for web access with authentication to Active Directory. I've found a number of articles about this online and all of them say to use auth program squid_ldap_conf which should be in /usr/lib/squid/. I don't have a squid directory in /usr/lib for starters and my squid binaries are in /etc/squid but there is no squid_ldap_conf in there either. I have installed the latest version of Squid (3.0) to see if that helped but I still cannot find the authorisation program.
I would like to be able to get squid or dansguardian to authenticate a user account against active directory so that a users browsing activities can be logged.
I can find lots a very useful info on how to set up ntlm_auth etc, but all of these methods produce a pop up window when the user launches the browser.
I'm posting this thread because I would like to be able to authenicate, but without a pop up window. Is there a way of automatically carrying out this authentication so that the user is unaware of it.
We've previously attempted authenticating against an NT4 PDC, but the users worked out that they could use any user account on the network, not just the user that was logged in which kinda defeated the whole idea of logging the users activity.
My current setup is:
Windows 2003 AD Windows XP Clients, soon to be converted to windows 7. Fedora 11 running squid and dansguardian.
i have configured transparent squid with dansguardian for content filtering i used this squid server ip on client gateway(not on browser) for content filtering, is it possible that i could use this squid server in different VLAN.
I am trying to set up squid to make switching proxies easier. I have a laptop which I use at work and at home. At work, I need to connect to the internet via a authenticated proxy. At home, I connect directly to via mobile broadband. So I end up switching proxy settings twice daily, which is just irritating! To solve this I want to set up a system whereby I never have to worry about a proxy - my browser sees a direct internet connection which squid (on my computer) intercepts and forwards either to the mobile broadband connection or to the work proxy (along with the required authentication) depending on which is available. I've read various articles on how to do clever things with iptables and squid, but I don't understand enough of the networking jargon or concepts to know when I need to change to make it work in my situation, or if it is even possible.
I have set up squid3 and dhcp server on my Ubuntu 10.04 box with IP address of 192.168.0.160. Single network card.Squid runs on port 3148. Everything works fine for the users provided that I set up the proxy details manually on each client pc.I want to set up the Squid to run as a transparent proxy and after reading around I have done the following.In the Squid3 conf file I have entered http_port 3148 transparent.Dropping to Root ( sudo -i )However the transparent proxy does not work and if I enter iptables -L I can see that the rule above has not been retained. The default rules in iptables only show up.
How to make squid proxy transparent?I have configured a Squid proxy server with some ACLs but we have to check from client side whether those ACLs work or not ,I have to open their firefox and manually enter my machine's i.e. proxy server's ip, only after entering this ip , Those ACLs work properly.But now I want to make it work without manually entering the proxy on clients machine.I guess transparent proxy is the solution, but how to configure it/Please guide me and I am one of the machine in LAN.
i m using centos 5.6 x86 give us guideline if possible, we have squid transparent proxy, the ip is set 10.0.1.85, this is as gateway we enter in window client pc to browse. now we want to block some website so we try below two method does not work, can you check if anything wrong in this, we enter this all starting of file squid.conf.
I'm mon webmaster/developer and I'm new in Linux. Our office suddenly needs to setup a proxy server. Ubuntu Squid proxy server immediately came as an option for us. The question is: does transparent squid proxy configuration using Ubuntu will have no problem with computers running on Windows OS?
I am looking to redesign my network which I'll get into bellow but basically i am looking to setup an transparent/bridged firewall with squid and dansguardian. However, I want to require LDAP authentication to access internet. You'll understand why from diagram below.
My question is, since bridged firewalls operate at layer 2 and have no/require no IP address, can you access higher layered apps with them? Example would be to have the proxy authenticate to LDAP system to check for valid user and valid net permissions, server has to somehow send a reply back, so without an IP, this can't happen right.
Below are two designs I am looking into implementing. Everything Internally will be Authenticated against LDAP with a small possibility of some public servers using LDAP too, but in my way of thinking anything using LDAP would should be behind the router on private link. FYI, the PROXY and the Linux Router would be two physically separate systems. So I guess my second question would be, can systems outside private network access limited internal services securely and be restricted at the same time?
I've problem with configuring transparent proxy on Fedora v13 was checking with several examples, last one from here on router (cisco 1812) everything seems ok, think there is a problem with Linux
Squid machine and router 'see each other'
Code:
While try to open web page, on GRE there is:
Code:
But when want to see what hapenning in tunnel between router and squid - there nothing...squid configuration is ok - was checking before try to make it transparent.
