Re: [squid-users] TPROXY and DansGuardian

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 24 Mar 2010 18:37:26 +1300

Jason Healy wrote:
> We've used a few different Squid setups over the years, from a
> vanilla setup to a transparent interception proxy, to a fully
> transparent tproxy.
>
> We're now using DansGuardian to keep tabs on our users (we don't
> block; we just monitor). This is good, but unfortunately it doesn't
> appear to be compatible with tproxy (DG only understands interception
> or regular proxying).
>
> Does anyone know of a way to use DG as an interception proxy, but
> configure Squid to use the "real" client IP address in its outgoing
> requests? I have no idea if this is possible since it would be quite
> a mess of different proxy schemes (DG would be interception-based
> using routing, Squid would use X-Forwarded-For to get the real IP,
> and then tproxy to make the request using the client address).

It was not safe to do that when I first added TPROXY. XFF as been
improved since so the risk is now much lower but still present. I'll
consider it for a future release.

>
> Alternately, does anyone know of a good web monitoring product that
> works in a "sniffer" mode so I don't need to insert it inline? I
> basically would like to use tproxy, but also need to log users who
> are going to naughty sites...
>

 From what I understand of your requirements you don't actually need DG
or anything but Squid alone. Squid can log in any format you choose to
configure. If there is anything it does not yet log we'd be interested
in hearing about that.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
   Current Beta Squid 3.1.0.18
Received on Wed Mar 24 2010 - 05:37:36 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 24 2010 - 12:00:06 MDT