Squid + Dansguardian & transparent proxy



  • Hi,

    on my pf I've configured Squid and Dansguardian with squid authentication and a port forward that redirects traffic from 3128 to 8080 port. If I put 3128 port on clients' browser it works fine: user can authenticate himself on squid and dansguardian's filter blocks traffic from blacklist BUT if I put "no proxy" on clients' browser everyone can access freely on internet without authentication request or filters.
    It works like a transparent proxy and it's not a very good solution for security…

    Any idea?

    Thank you very much



  • Authentication does not work with transparent proxy.

    Try automatic proxy configuration scripts (PAC/WPAD)



  • @marcelloc:

    Authentication does not work with transparent proxy.
    Try automatic proxy configuration scripts (PAC/WPAD)

    I've tried in this way but it doesn't work:

    1. I've created a wdat.dat => http://doc.pfsense.org/index.php/WPAD_Autoconfigure_for_Squid
    2. I've put it in /usr/local/www
    3. and started a browser on a client

    Do I need webserver service on pf?



  • Test without SSL on web GUI.



  • @marcelloc:

    Test without SSL on web GUI.

    No, I've tried but It doesn't work. Client can access to internet without authentication.



  • @demo:

    No, I've tried but It doesn't work. Client can access to internet without authentication.

    Check your firewall rules again. clients will access internet without proxy only when firewall permits.



  • This is a good old transparent proxy + transparent auth problem with Squid. I have been there a lot. You're not supposed to have auth in TP. It's because of 'man in the middle'. It's a browser restriction. And plus you don't get the filtering on HTTPS in TP as well. You'd better go with a dns-filter. You just need to setup DNS from your DHCP server. Don't need to setup each browser. And there's a freeware dns-filter supporting auth and AD integration. It's NxFilter. It's using urlblacklist as well. It supports malware/botnet detection and clustering, policy based on user or group, quota-time, built-in GUI and dashboard, report etc.. Try NxFilter. No need to spend a dime.



  • @jaytika:

    This is a good old transparent proxy + transparent auth problem with Squid. I have been there a lot. You're not supposed to have auth in TP. It's because of 'man in the middle'. It's a browser restriction. And plus you don't get the filtering on HTTPS in TP as well. You'd better go with a dns-filter. You just need to setup DNS from your DHCP server. Don't need to setup each browser. And there's a freeware dns-filter supporting auth and AD integration. It's NxFilter. It's using urlblacklist as well. It supports malware/botnet detection and clustering, policy based on user or group, quota-time, built-in GUI and dashboard, report etc.. Try NxFilter. No need to spend a dime.

    good but I can't install it on pf, that works as dns server, firewall, proxy, ecc.



  • @marcelloc:

    @demo:

    No, I've tried but It doesn't work. Client can access to internet without authentication.

    Check your firewall rules again. clients will access internet without proxy only when firewall permits.

    On pf I've created a rule that redirects traffic from lan address:80 to lan address:3128 but it doesn't work. Browser, configured with proxy's automatic detection, can access to internet without any authentication or filters.
    So I've created a rule that blocks traffic to lan address:80 and a NAT port forward that redirects traffic from 3128 to 8080. Browser now must be configured to use 3128 port, filtered too by dansguardian. If not set, browser can't access to internet.
    I think it's not a good way to do what I want for my lan, but in this moment I can't find another one…