half of a transparent proxy question I guess.....

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

half of a transparent proxy question I guess.....

Pat Riehecky
This is a bit of a odd duck, but....

The university I work for has a bunch of library pages that can only be
accessed from on campus as they are hosted off site and authenticated by
IP address.  However, they want currently enrolled students to be able
to use those pages from off campus as about 30% of our students live off
campus these days.

I said Bah this is easy, squid to the rescue!  And rescue it did (by the
way thanks so much for it!).  But a new problem has surfaced.  The users
don't ever turn their proxy settings off.  Some are uninformed, some
think the Internet will break without this on, and some think it is
faster to proxy to us.  They are all wrong of course, but alas... So my
squid box is at times eating up most of our bandwidth from people who
are not using it at all the way it should be used.  I said "Screw it"
and boosted the cache size.  Performance improved dramatically.

Now a new beast has come out and dragged the last one with it.  We have
some students studying in Spain who want to use the pages.  I gave them
the standard "Configure it for the proxy" email, but they are using
access at the local Internet cafe which will not (for good reason) give
them the rights on the local system to reconfigure the proxy settings.
Then my bosses boss says "Hey U of I has their library pages setup with
a transparent proxy some how. Can we do it like that?"  I have yet to
see proof that this works as advertised...

Basically what they want from me is when people click the link to access
the resource in question it will flip the system into a transparent
proxy mode for IP address not in range A, prompt for a username/password
and sit man in the middle. For systems in range A they want it to do
what it does now - nothing.  U of I has said they are using EasyProxy to
do this.  It seems silly to me to pay for a baby proxy system when I
could use Squid.  

So, to the question at hand:  Are there some docs some where I could
read to figure out how to man in the middle some traffic, but not
others.  And make the traffic I pick on login?

My ideas thus far involve basically, use iptables PREROUTING to push
traffic at "IP not A" through squid, but this doesn't make me
authoritative for their DNS and these people are off site so I can't
exactly make myself their default gateway.  Even if I could (some how?),
it would require transparent proxy auth which is impossible if my
understating of how stuff works is valid (which it might not be).  My
understanding of the problem makes it impossible to perform, but you are
greater proxy experts than I...

Wow, you got all the way down here... dang....

I will accept vaguely half formed, partially coherent theories just to
keep my own mental gears turning.  Anything at all you could contribute
would be tremendously helpful (this includes, the proposed task is
impossible proofs as well, but sadly I would need a strong argument to
hand up the chain as they look at me funny when I say this doesn't sound
possible).

Pat

Reply | Threaded
Open this post in threaded view
|

Re: half of a transparent proxy question I guess.....

Chris Robertson-2
Pat Riehecky wrote:
> This is a bit of a odd duck, but....
>
> The university I work for has a bunch of library pages that can only be
> accessed from on campus as they are hosted off site and authenticated by
> IP address.  

This sounds like a perfect scenario for an acceleration setup.  You can
dispense with having users set proxy in their browser and only require
authentication for off-site access.

In short, the Squid box acts like the origin server (using a domain
within your control: http://offsite.library.iwu.edu/ or some such).  
ACLs are set up such that access from within your campus network is
allowed through the acceleration setup without authentication, access
from outside is allowed WITH authentication, and all other access is
denied (forcing those who are using your proxy for all internet traffic
to repent, and helping prevent abuse of the system).  Allowed requests
are relayed by your Squid server to the remote library site, and the
content is ultimately served by your Squid server (as it is now).

>
> Wow, you got all the way down here... dang....
>
> I will accept vaguely half formed, partially coherent theories just to
> keep my own mental gears turning.  Anything at all you could contribute
> would be tremendously helpful (this includes, the proposed task is
> impossible proofs as well, but sadly I would need a strong argument to
> hand up the chain as they look at me funny when I say this doesn't sound
> possible).
>  

Half-formed, partially coherent, I can handle.  Fleshing this setup out
is left as an exercise for the reader.  The FAQ sections on accelerators
(http://wiki.squid-cache.org/SquidFaq/ReverseProxy) and ACLs
(http://wiki.squid-cache.org/SquidFaq/SquidAcl) should help a lot...

Questions regarding further clarification of this framework are welcome.

> Pat
>  

Chris
Reply | Threaded
Open this post in threaded view
|

Re: half of a transparent proxy question I guess.....

Emilio Casbas
Chris Robertson escribiĆ³:
> Pat Riehecky wrote:
>> This is a bit of a odd duck, but....
>>
>> The university I work for has a bunch of library pages that can only be
>> accessed from on campus as they are hosted off site and authenticated by
>> IP address.  

I think that ezproxy will be the perfect solution to your problem.

>
> This sounds like a perfect scenario for an acceleration setup.  You can
> dispense with having users set proxy in their browser and only require
> authentication for off-site access.

But let me know if someone has achieve this with squid accel.


Thanks
Emilio C.
Reply | Threaded
Open this post in threaded view
|

Re: half of a transparent proxy question I guess.....

Adrian Chadd
On Wed, May 16, 2007, Emilio Casbas wrote:

> >This sounds like a perfect scenario for an acceleration setup.  You can
> >dispense with having users set proxy in their browser and only require
> >authentication for off-site access.
>
> But let me know if someone has achieve this with squid accel.

The trouble is rewriting the content as it passes through Squid to rewrite
www.foo.com -> www.foo.com.squid-gateway.com. Probably doable in squid-3
with some custom coding.



Adrian