[ previous ] [ next ] [ threads ]
 From:  Paul Taylor <PaulTaylor at winn dash dixie dot com>
 To:  "'C. Andrew Zook'" <andrewzook at pdqlocks dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: Fwd: [m0n0wall] dansguardian squid transparent proxy rdr
 Date:  Thu, 28 Dec 2006 12:25:17 -0500

	Your auto browser config - How do you currently handle it? (Is it
via Monowall with a hidden config command that I'm not aware of?)

I'm currently using a separate DHCP server to hand that out (not the DHCP
server in Monowall), using these line in my dhcpd.conf like this:

# Define WPAD option
option wpad-url code 252 = text;
option wpad-url "http://proxyserver:8080/array.dll?Get.Routing.Script\n";

(The array.dll etc. in the URL is for Microsofts ISA server)

It would be pretty easy to add this to the base Monowall package so you
could use the DHCP server in Monowall to hand out the URL to the proxy.pac
file.  Of course, this is probably only important in large networks that
probably wouldn't use Monowall anyhow...


-----Original Message-----
From: C. Andrew Zook [mailto:andrewzook at pdqlocks dot com] 
Sent: Thursday, December 28, 2006 12:12 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: Fwd: [m0n0wall] dansguardian squid transparent proxy rdr

Agreed - This is how I do it. I use Tinyproxy and DG. I block all web 
access with M0n0 except for the proxy server. Then I use automatic 
browser configuration (google wpad and proxy.pac).

I also output the log files in squid format and use a program called 
"srg" which is run every 15 minutes as a cron job so that I can check up 
on what the users are surfing.

I love it! My users hate it ;-)


> You need to use the proxy by configuring your clients to use it, and not
> using an intercepting proxy.  When the browsers are configured for the
> proxy they will send a CONNECT request.  You will then be able to block
> based on the destination server (domain name or IP address), but you
> won't see the URL path at all.
> This means you still have a log of what server the user connected to but
> not exactly what they did whilst they were there.  Which is the best
> you'll get without breaking the certificate chain and having the user
> prompted on each request (which is technically possible but really
> screws around with the authenticity of a secure connection).
> HTH,
>                                 Neil.