Re: [squid-users] Re: Using squid on a single machine to create a transparent http proxy behind a corporate proxy?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sun, 24 Feb 2013 17:42:14 +1300

On 23/02/2013 9:47 p.m., Magnus wrote:
> I am setting up a Linux machine that will run behind a corporate web
> proxy with authentication (NTLM and basic) but since I will for
> development purposes run a lot of different software, VMs etc it is a
> pain to manage proxy configuration in them all (some programs also
> have buggy or non existing proxy support and the password in the
> corporate firewall must be changed regularly making the pain worse).
> The corporate proxy does not seem to do a very good job in
> accelerating web traffic either :-(
>
> To address these problems I would like to set up a "transparent proxy"

"transaprent proxy" means many different things. What you are talking
about here is "transparent interception proxy" or just "interception proxy".

> on my own box for my private use that intercepts all http traffic,
> accelerates it and directs it to the corporate proxy (including
> performing the authentication with my own user name password) - this
> way I should only have to set and update it in one place and also
> solve the other issues at the same time!
>
> My question is if it is possible to set up Squid in this way?

Sort of. Yes to all of the above _except_ sending NTLM authentication to
the upstream proxy.

Squid can only generate Basic or Negotiate authentication credentials
for upstream Proxy-Auth headers. If the corporate proxy were upgraded to
Negotiate/Kerberos authentication the Squid sending your credentials
would be an option. NTLM is just too complicated with several
round-trips of request/reply, nobody can be bothered implementing it
(particularly since NTLM is an obsolete and insecure protocol these days).

NTLM and Digest authentication requires the software on your end to
generate the credentials and Squid can be configured to relay them to
the upstream.

... NP: the proxy generating credentials for you is called "transparent
authentication proxy". The relaying of credentials is part of "HTTP
transparent proxy".

> I
> already know that it is good at speeding up web traffic and that it
> can be set up as transparent proxy but I am not sure if it could be
> done on a single machine as described or if it can redirect traffic to
> another proxy that sits between it and internet?
>
> If it is possible how hard would it be? Are there some guides I could
> use? I know a bit about networking but is not a guru by any means...

I think you want to look at DHCP or software auto-configuration
(otherwise known as "transparent configuration") to push out a PAC file
using WPAD settings. A lot of software will pick up the proxy details
from the PAC file and use the proxy without any manual configuration needed.

The http://wiki.squid-cache.org sevice seems to be down as of right now.
When it comes up take a read through
http://wiki.squid-cache.org/SquidFaq/ConfiguringBrowsers for the best
way to configure Squid. Even if you go with interception proxy for most
of the traffic you should have a forward-proxy port configured anyway
for the objects which are served directly out of Squid.

Amos
Received on Sun Feb 24 2013 - 04:42:20 MST

This archive was generated by hypermail 2.2.0 : Sun Feb 24 2013 - 12:00:05 MST