[ previous ] [ next ] [ threads ]
 
 From:  "Neil A. Hillard" <m0n0 at dana dot org dot uk>
 To:  Ernesto Rojas Rodriguez <ernesto at cubarte dot cult dot cu>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Http request redirect to Squid
 Date:  Wed, 19 Apr 2006 22:16:54 +0100
Hi,

>I made this and Work Ok!!!!!!  Ryan Wagoner sent me this solution.

Glad to hear that.  Perhaps someone should document it and add it to the
FAQ or documentation.  I'm sure other people would be interested in it.


>Anyway thanks for your help.
>
>PD
>In your solution if squid.box fail all lan traffic will stop. On the
>solution I implemented I only going to lose http traffic in case of
>squid.box fail.

I don't think I ever suggested putting the server running squid inline
which is how it could take out all traffic.  I'd never do that.  I
suggested using an auto-proxy-config script / wpad.

I still maintain that it is best to tell the clients that they are using
a proxy.  I have to do it that way because I need authentication - in a
DHCP environment we need to log _who_ is accessing what site, etc.

ATB,


                                Neil.

> Put squid on OPT1, etc interface so its separate from lan. Place the
>below rule, modified to your needs, in your config file and upload it
>to monowall. Set squid to be transparent proxy and your good to go.
> 
>
>Downside is that squid is on another interface, but if squid goes down
>you only loose http traffic.
>
> 
>
> 
>
> 
>
>      <nat>
>
> 
>
>            <rule>
>
> 
>
>                  <protocol>tcp</protocol>
>
> 
>
>                  <external-port>80</external-port>
>
> 
>
>                  <target>10.10.2.5</target>
>
> 
>
>                  <local-port>3128</local-port>
>
> 
>
>                  <interface>lan</interface>
>
> 
>
>                  <descr>HTTP PROXY</descr>
>
> 
>
>            </rule>
>
> 
>
>      </nat>
>
> 
>
> 
>
> 
>
>External port is lan port that you want to redirect, obviously port 80.
>
> 
>
>Target is squid box ip address, local port is the port on squid,
>default is 3128 for proxy, make sure squid is configure as transparent
>proxy.
>
> 
>
> 
>
> 
>
>Ryan Wagoner
>
> 
>
> 
>
> 
>
> 
>
>-----Mensaje original-----
>De: Neil A. Hillard [mailto:m0n0 at dana dot org dot uk]
>Enviado el: Tuesday, April 18, 2006 2:25 PM
>Para: m0n0wall at lists dot m0n0 dot ch
>Asunto: Re: [m0n0wall] Http request redirect to Squid
>
> 
>
>Hi,
>
> 
>
>In message <1145383504 dot 10693 dot 57 dot camel at localhost dot localdomain>, Marko
>
>Vukovic <marko at aquamanta dot co dot za> writes
>
>>On Mon, 2006-04-17 at 16:04 -0400, Ernesto Rojas Rodriguez wrote:
>
>> 
>
>>> I would like to redirect all http request made to the monowall  by
>clients
>
>>> of the LAN  to a machine running
>
>>> 
>
>>> Squid, to take advantage of this service. I have the Squid running
>on a Pc
>
>>> on the LAN.
>
>> 
>
>>Hi Ernesto
>
>> 
>
>>This has been dealt with several times on this list. My suggestion was
>
>>to:
>
>>a) Allow HTTP traffic outbound thru the m0n0wall only for the Squid
>box.
>
>>b) Enable port forwarding on your Squid box.
>
>>c) Configure Squid for transparent caching.
>
>>d) In your m0n0wall's dhcp configuration, create a custom
>
>><gateway>x.x.x.x</gateway> entry pointing to your Squid box so that it
>
>>becomes the default gateway for your LAN clients.
>
>> 
>
>>Ciao!
>
> 
>
>The best way is to only allow your squid machine out on port 80 and
>then
>
>configure your clients to use squid, either by hard coding it, from an
>
>auto-proxy-config URL or automatically using WPAD (if the browser
>
>supports it).
>
> 
>
>Doing it this way also allows you to add authentication if required.
>
> 
>
>It also allows you to pass HTTPS traffic through the proxy and do
>
>rudimentary access control based on the destination.
>
> 
>
>Using an intercepting proxy is particularly nasty.  I have 3500 clients
>
>using squid, configured using WPAD and don't have any problems.
>
> 
>
>HTH,
>
> 
>
> 
>
>                                Neil.
>
> 

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk