04-05-2013 02:24 AM
I have implemented a squid 3.1 proxy server and I am doing DNAT on the controller for all HTTP traffic to go vie Squid.
In Squid 3.3 they have implemented ssl-bump so that HTTPS traffic could be intercepted transparently as well. The security was made stricter on the Squid box so that the NAT can only be done on the host where Squid is running.
To get this working I now need to implement policy based routing to route all HTTP and HTTPS traffic to the Squid box but without doing the NAT.
If you look at the setup example at the following site http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6 then they have an iptables example of how it must be done. My physical deployment would change these rules slightly but the basic idea is there.
In my current setup I have written my own auth module to seamlessly authenticate the user based on the authentication used when the user connected to the SSID. Users are thus routed to the proxy and authenticated without the user needing to configure proxy settings or being prompted for authentication. In the backend browsing is authenticated and LDAP group permissions checked and access allowed based on that.
For me to authenticate SSL, I need to intercept the traffic. For me to transparently intercept, I need Squid 3.3. To get Squid 3.3 working, I need to do PBR on the controller.
04-05-2013 04:53 AM
Does the Squid box support GRE tunnels? If so, you could create a GRE tunnel from the controller to the Squid box and then in your policy set a rule that says something like:
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX
04-05-2013 06:36 AM
I do not think Squid supports GRE.
Basically the answer from the Squid users group was
"Routers need to *route* the port 80 traffic to the Squid box *without* using NAT."
I have seen discussion around using ESI for policy based routing. I have never used this feature and all I know about it is where to find it in the WebUI. Is this something I should look into?