RE: [squid-users] Squid and Firewall rules

From: Mark Cooke <[email protected]>
Date: Mon, 01 Mar 2004 13:04:48 +0000

On Mon, 2004-03-01 at 12:01, Elsen Marc wrote in reply to:
>
>
> > -- iptables -t nat -A PREROUTING -i eth1 -p tcp
> > --dport 80 -j REDIRECT --to-port 3128 --
> >
> > But with this rule in, I get that all users, even if
> > they don't set their Browsers to use a Proxy, can surf
> > the WEB withouth being authenticated by Squid, but
> > passing through the Proxy anyway (in fact I can see
> > them on my Access.log file)
> >
> > what I wish to do is to set the Squid or Firewall
> > settings to impose a Squid Authentication even if my
> > users don't set their Browsers to use a Proxy, so
> >
> > USER1 Browser-configured --> Authentication = Allowed
> >
> > USER2 NoBrowser-configured --> Authentication or ERROR
> > You are not allowed to ...
> >
> You can't at least in in the squid context :
>
> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.15

But the workaround is to setup the redirect to a web server you control
that explains how to setup the browser to use your proxy, instead of
trying to transparently direct it to squid.

Ie, --to-destination as well as --to-port (so you don't have to run a
web server on your firewall).

iptables -t nat --dport 80 -j REDIRECT --to-destination
my.proxyinstruction.server --to-port 80

When you setup the web server, just map all URLs to the proxy setup
instructions (because iptables can't change the requested URL). If you
have an machine running as an existing web server, just use a different
port number and a virtual host, or similar.

Cheers,

Mark

-- 
Mark Cooke <mpc@star.sr.bham.ac.uk>
Received on Mon Mar 01 2004 - 06:30:57 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:01 MST