Squid Interception Proxying Troubles

Erik Bixby erik.bixby at gmail.com
Wed Nov 1 18:50:01 MST 2006 

On 11/1/06, JT Moree <moreejt at pcxperience.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I went back and read thru the earlier posts.  Let me make sure I
> understand the situation completely.
>
> You have a network.  There is a firewall.  There is a separate proxy
> server running squid and squidguard.
>
> If a user sets up the proxy settings in his browser to use the proxy
> server then all traffic is properly handled by all systems and the user
> really does get proxied.  If the user goes to a blacklisted site (in
> squidguard blacklists) he is blocked etc. etc.
>
> If that is all correct then the next step is that you want to STOP users
> from getting through the firewall directly so as to force the traffic
> through squid.
>

All of that is correct.  The point behind WCCP is that it intercepts
traffic on port 80 and redirects it to a proxy.  The objective is to
redirect traffic outbound from the last router before the firewall to
the Squid box, excepting traffic from the proxy itself, of course.  If
everything works properly, the router doesn't allow any traffic out,
on port 80, so the firewall is outside the scope of the conversation.


> OR you have the firewall checking with squid to allow or deny the user
> based on squid's response--but this is less common i think.
>

This is not what we currently plan on doing.  We hope to use WCCP, so
that should the proxy fail traffic will still go out.  Plus, we can do
load balancing with multiple proxies and other nifty tricks.

> Once you have stopped all direct traffic going directly through the
> firewall make sure the proxy can still get through the firewall.
>
> After you have stopped all direct traffic then work on transparently
> redirecting traffic to the squid box.
>

WCCP accomplishes these goals; traffic from other machines doesn't get
out, it gets redirected to the Squid box.  And, traffic from the Squid
box still gets out, as would be expected.

> Note: i found this on the net
> http://www.squid-cache.org/mail-archive/squid-users/200403/1003.html
>

That message deals with proxy authentication along with transparent
proxying.  We have no desire, currently, to use any authentication.
We're basically looking for SquidGuard to replace Websense, in
filtering HTTP only.

> I don't know if this will help or not but it helps me to go over a
> problem from start to finish to see if I have missed anything.
>

I think folks are getting a better handle on our situation.  And
again, I really appreciate you all taking time out of your day and
looking at our problem.
-Erik

More information about the PLUG-discuss mailing list