Squid Interception Proxying Troubles

Patrick Fleming, EA plug at rwcinc.net
Wed Nov 1 19:32:36 MST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Erik,

Forgive me if I'm a little confused here. It looks like based upon all
these posts that you are running into a circular issue. Is your Squid
box before or after the router? And is the router trying to push port 80
back through the Squid box?

I'm assuming that you are setting it up parallel to your Websense box
for testing.

Erik Bixby wrote:

>>
>> I went back and read thru the earlier posts.  Let me make sure I
>> understand the situation completely.
>>
>> You have a network.  There is a firewall.  There is a separate proxy
>> server running squid and squidguard.
>>
>> If a user sets up the proxy settings in his browser to use the proxy
>> server then all traffic is properly handled by all systems and the user
>> really does get proxied.  If the user goes to a blacklisted site (in
>> squidguard blacklists) he is blocked etc. etc.
>>
>> If that is all correct then the next step is that you want to STOP users
>> from getting through the firewall directly so as to force the traffic
>> through squid.
>>
> 
> All of that is correct.  The point behind WCCP is that it intercepts
> traffic on port 80 and redirects it to a proxy.  The objective is to
> redirect traffic outbound from the last router before the firewall to
> the Squid box, excepting traffic from the proxy itself, of course.  If
> everything works properly, the router doesn't allow any traffic out,
> on port 80, so the firewall is outside the scope of the conversation.
> 
> 

> 
> This is not what we currently plan on doing.  We hope to use WCCP, so
> that should the proxy fail traffic will still go out.  Plus, we can do
> load balancing with multiple proxies and other nifty tricks.
> 
>> Once you have stopped all direct traffic going directly through the
>> firewall make sure the proxy can still get through the firewall.
>>
>> After you have stopped all direct traffic then work on transparently
>> redirecting traffic to the squid box.
>>
> 
> WCCP accomplishes these goals; traffic from other machines doesn't get
> out, it gets redirected to the Squid box.  And, traffic from the Squid
> box still gets out, as would be expected.
> 
>> Note: i found this on the net
>> http://www.squid-cache.org/mail-archive/squid-users/200403/1003.html
>>
> 
> That message deals with proxy authentication along with transparent
> proxying.  We have no desire, currently, to use any authentication.
> We're basically looking for SquidGuard to replace Websense, in
> filtering HTTP only.
> 
>> I don't know if this will help or not but it helps me to go over a
>> problem from start to finish to see if I have missed anything.
>>
> 
> I think folks are getting a better handle on our situation.  And
> again, I really appreciate you all taking time out of your day and
> looking at our problem.
> -Erik
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFSVjDIFnqWH4u/3MRAkDbAJ45U4iL8vGKlWowLy6EI/fFiEVhcgCfVr1w
177e65v7Y8HkByJXaIc5oqk=
=yLvr
-----END PGP SIGNATURE-----

More information about the PLUG-discuss mailing list