[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  Ernesto Rojas Rodriguez <ernesto at cubarte dot cult dot cu>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Http request redirect to Squid
 Date:  Wed, 19 Apr 2006 22:16:54 +0100
Hi,



Glad to hear that.  Perhaps someone should document it and add it to the
FAQ or documentation.  I'm sure other people would be interested in it.


>Anyway thanks for your help.
>
>PD
>In your solution if squid.box fail all lan traffic will stop. On the
>solution I implemented I only going to lose http traffic in case of
>squid.box fail.

I don't think I ever suggested putting the server running squid inline
which is how it could take out all traffic.  I'd never do that.  I
suggested using an auto-proxy-config script / wpad.

I still maintain that it is best to tell the clients that they are using
a proxy.  I have to do it that way because I need authentication - in a
DHCP environment we need to log _who_ is accessing what site, etc.

ATB,


                                Neil.


>below rule, modified to your needs, in your config file and upload it
>to monowall. Set squid to be transparent proxy and your good to go.

>
>Downside is that squid is on another interface, but if squid goes down
>you only loose http traffic.
>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>

>
>External port is lan port that you want to redirect, obviously port 80.
>

>
>Target is squid box ip address, local port is the port on squid,
>default is 3128 for proxy, make sure squid is configure as transparent
>proxy.
>

>

>

>
>Ryan Wagoner
>

>

>

>

>
>-----Mensaje original-----
>De: Neil A. Hillard [mailto:m0n0 at dana dot org dot uk]
>Enviado el: Tuesday, April 18, 2006 2:25 PM
>Para: m0n0wall at lists dot m0n0 dot ch
>Asunto: Re: [m0n0wall] Http request redirect to Squid
>

>
>Hi,
>

>
>In message <1145383504 dot 10693 dot 57 dot camel at localhost dot localdomain>, Marko
>
>Vukovic <marko at aquamanta dot co dot za> writes
>
>>On Mon, 2006-04-17 at 16:04 -0400, Ernesto Rojas Rodriguez wrote:
>

>

>clients
>

>

>
>>> Squid, to take advantage of this service. I have the Squid running
>on a Pc
>
>>> on the LAN.
>

>
>>Hi Ernesto
>

>
>>This has been dealt with several times on this list. My suggestion was
>
>>to:
>
>>a) Allow HTTP traffic outbound thru the m0n0wall only for the Squid
>box.
>
>>b) Enable port forwarding on your Squid box.
>
>>c) Configure Squid for transparent caching.
>
>>d) In your m0n0wall's dhcp configuration, create a custom
>
>><gateway>x.x.x.x</gateway> entry pointing to your Squid box so that it
>
>>becomes the default gateway for your LAN clients.
>

>
>>Ciao!
>

>
>The best way is to only allow your squid machine out on port 80 and
>then
>
>configure your clients to use squid, either by hard coding it, from an
>
>auto-proxy-config URL or automatically using WPAD (if the browser
>
>supports it).
>

>
>Doing it this way also allows you to add authentication if required.
>

>
>It also allows you to pass HTTPS traffic through the proxy and do
>
>rudimentary access control based on the destination.
>

>

>
>using squid, configured using WPAD and don't have any problems.
>

>
>HTH,
>

>

>

>


-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk