Re: [squid-users] SQUID transparent, HTTP/1.0, HTTP/1.1

From: Pandu Poluan <pandu_at_poluan.info>
Date: Tue, 1 Feb 2011 19:27:03 +0700

On Tue, Feb 1, 2011 at 18:15, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 01/02/11 19:58, Pandu Poluan wrote:
>>
>> On Tue, Feb 1, 2011 at 13:36, Amos Jeffries<squid3_at_treenet.co.nz>  wrote:
>>>
>>> On 01/02/11 16:29, Pandu Poluan wrote:
>>>>
>>>> Hello,
>>>>
>>>> I want to configure SQUID as a transparent proxy, but on a separate
>>>> box from the Linux gateway (both boxes using Ubuntu Server 10.04)
>>>>
>>>> I found this howto:
>>>> http://www.faqs.org/docs/Linux-mini/TransparentProxy.html
>>>>
>>>> Now, my questions are:
>>>>
>>>> 1. Is the howto (esp. sections 6.2 and 6.3) still applicable with the
>>>> latest SQUID version?
>>>
>>> The whole of section 6.1 is a major security vulnerability "don't do it!"
>>> situation. Read CVE-2009-0801 for an explanation of what malware can do
>>> to
>>> trivially spread themselves across your whole client base.
>>>
>>> The currently available Squid do permit it with loud failure warnings in
>>> cache.log. We are planning on fully disabling the security hole in the
>>> near
>>> future.
>>>
>>>
>>> Section 6.2 and 6.3 are the recommended way if you have to do NAT
>>> interception.
>>>
>>> The real transparent proxy (TPROXY) in the more recent Squid does not
>>> work
>>> reliably on Ubuntu 10.04.
>>>
>>>
>>
>> I don't really understand about TPROXY. Do I really need TPROXY for
>> Squid to do transparent/intercepting proxy?
>
> No its not required. Just useful and nicer than NAT since it operates in
> both IPv4 and IPv6 and avoids websites with badly designed IP-based security
> systems (aka hotmail.com and some popular download sites).
>
>>
>> If I do, what Linux distro do you recommend?
>
> For TPROXY the best distro seem to be CentOS 5.5+ or Debian Squeeze or
> Ubuntu 10.10 all with a 3.1.10 self-built Squid.
>

Ahhh, I see...

More questions, then. But first, a description of my situation.

I need to have 2 Squid boxes separate from the Linux firewall. The
reason is that the users of the Squid boxes are different:

Squid A is used by Management -- traffic must go through Internet-A
Squid B is used by Rest Of Staff -- traffic must go through Internet-B

There's a single Linux firewall connected to Internet-A and
Internet-B; it performs SNAT and routing, currently using "ip rule"s
to route based on source address.

Now, my questions:

1. Where must I apply the TPROXY patches? The firewall, or Squid boxes?

2. What configurations should be applied on the firewall and the Squid boxes?

If you can point me to a HOWTO suitable for my situation, I'd
appreciate it. I've been searching and it seems that most HOWTO on
TPROXY assumes an intercepting Squid on the same box as the firewall.

Again, thanks for your kind assistance. Apologies if I trouble you in any way.

> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.10
>  Beta testers wanted for 3.2.0.4
>

--
Pandu E Poluan
~ IT Optimizer ~
Visit my Blog: http://pepoluan.posterous.com
Received on Tue Feb 01 2011 - 12:27:13 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 01 2011 - 12:00:04 MST