[squid-users] Putting squid-machine on IPcops router DMZ interface

From: Donatas Gedvilas <d.gedvilas.srk_at_gmail.com>
Date: Wed, 15 Apr 2009 13:34:43 +0300

Hello,

I am looking for a help and I am not very good in english so sorry in advance:).
I am a system-network administrator in one company.
I like open source and I have the task "to control users http
traffic", my deadline 3 months.
I refused "Fortigate" and "Astaro" complete comercial products.

I have 110 users at all, but in one office there are about 50 so I
started there.

As far as I know a little debian, I choosed it and squid as a
proxy-cache. I installed it on separate machine
listening on 3128 port, with SNMP enabled and MRTG for monitoring,
W3Perl for making nice statistics.
For now I configured 10 users browsers (we use Firefox as the main,
and IE for specific http) to go through my proxy.
Everything is working fine because squid handles with real users ip
addresses, and W3perl output generated from access.log
looks fine because I made translation Name Surname - users IP address.
And is easy to change user browser settings to go directly if
something is wrong with "squid-machine".
But this configuration is good only for testing purposes.

Users (intermediate level) can easy change browser settings not to go
through proxy.
Yes I know there are some methodics how to disable changing such
settings, but doing this with 40-50 users is not a good idea:)

So I need transparent proxy configuration - in my oppinion.?

I am using "IPcop" router firewalling machine for testing purposes one
year and it works fine in my case.
(It also have built-in proxy but I don't like it for several reasons,
very week logs and poor caching capabilities and everything on one
machine ).

So am planing to put Squid-proxy-macnine in DMZ
(ipcop's orange interface, as I read from
http://www.deckle.co.za/squid-users-guide is the best place for
cache.)

My trusted hosts would be on green network (trusted) and Ipcop
hand-off's any http 80, ftp 21 and https 443 requests to DMZ (my
orange) interface
on squid-proxy-machine listening on 3128 port, and squid then would be
able to communicate with ISP' cache-servers on the red side with
UDP-ICP protocol
for example - am I right?

The main question is in that configuration my squid-machine would be
able to autenticate every user traffic going from green and give nice
outputs with Names Surnames,
or all users ip's from green would be covered by one orange (DMZ) ip
and squid-machine wouldn't be able to see nice outputs based on ip's.

Also I have www server and planing ftp server to put on DMZ.

Please, advise my how to do the best in that way or give another
configuration example, because I can't to test this way now in
practice
(because my squid-machine is placed in one office and ipcop firewall
in another (different cities, different branches).

I would be waiting for any help thanks
Received on Wed Apr 15 2009 - 10:34:52 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 15 2009 - 12:00:02 MDT