Hi
I have implemented a squid 3.1 proxy server and I am doing DNAT on the controller for all HTTP traffic to go vie Squid.
In Squid 3.3 they have implemented ssl-bump so that HTTPS traffic could be intercepted transparently as well. The security was made stricter on the Squid box so that the NAT can only be done on the host where Squid is running.
To get this working I now need to implement policy based routing to route all HTTP and HTTPS traffic to the Squid box but without doing the NAT.
If you look at the setup example at the following site http://www.faqs.org/docs/Linux-mini/TransparentProxy.html#s6 then they have an iptables example of how it must be done. My physical deployment would change these rules slightly but the basic idea is there.
In my current setup I have written my own auth module to seamlessly authenticate the user based on the authentication used when the user connected to the SSID. Users are thus routed to the proxy and authenticated without the user needing to configure proxy settings or being prompted for authentication. In the backend browsing is authenticated and LDAP group permissions checked and access allowed based on that.
For me to authenticate SSL, I need to intercept the traffic. For me to transparently intercept, I need Squid 3.3. To get Squid 3.3 working, I need to do PBR on the controller.