Both transparent and forward proxy



  • I would like to set up Squid with both transparent and authenticated proxy. The second one will be used only for exceptions of standard company rules.
    When I try to enable the authentication I got this:

    The following input errors were detected:
        Authentication cannot be enabled while transparent proxy mode is enabled

    Is there any way to avoid this error?



  • Unless you have other needs for a second proxy, I'm curious as to why you couldn't selectively filter with SquidGuard using ACL groups?



  • Maybe I'm missing something in squid/squidguard potentiality.
    In my network I have these needs:

    • Log HTTP/HTTPS activity

    • Filter some url for everyone in the network except of an user group "marketing"

    • Access without a proxy configuration (for mobile devices or for ot well developed software that needs a direct http/https connection)

    So I thought to make a transparent http/https proxy, but with this solution I miss the authentication and I can not forward the restricted request for "marketing" users.

    This is the reason why I'm thinking for a both transparent and forward proxy (everyone will use a transparent proxy, and only for "marketing" group I will set up their computer with the proxy configuration). But seems that squid could not act as transparent and forward proxy together.

    I don't know if there is another solution… I also thought to use only a transparent proxy and authenticate by ip address, but this way I should use the domain controllers logon logs to refresh the "allowed" ip address list in squidguard and I don't know if it is so simple, maybe It can be more simple if I will use a mysql db to update the "allowed" ip list.



  • There is, aside authentication, something else your approach is missing, unless you decide to configure your proxy with intercepting mode, meaning man-in-the-middle  :-[
    Transparent proxy will not handle HTTPS, meaning you will not log anything  ;)
    I understand that reason behind your design choice is to avoid configuring proxy for each client (browser) but right technical answer for this is WPAD instead of complex design (which doesn't work BTW) mixing both transparent and explicit proxies.



  • In my network I have these needs:

    • Log HTTP/HTTPS activity

    Squid does this.  Best to not use transparent mode.

    • Filter some url for everyone in the network except of an user group "marketing"

    SquidGuard does this.

    • Access without a proxy configuration (for mobile devices or for ot well developed software that needs a direct http/https connection)

    Add a firewall rule(s) that allows those IP addresses to directly access ports 80 and 443 which you had previously blocked for everyone else to force use of the proxy.



  • @KOM:

    Add a firewall rule(s) that allows those IP addresses to directly access ports 80 and 443 which you had previously blocked for everyone else to force use of the proxy.

    This only partially works. It doesn't for HTTPS because if your browser is not aware that HTTPS goes through proxy, it will not be able to accept proxy answer, as far as I understand. The only way to achieve it is WPAD (designed for this purpose) or similar mechanism based on GPO for "Windows only" landscape.



  • Thank you for your answer.

    For me it is not a problem the men-in-the-middle because I can distribuite squid's certificate by GPO as suggested, I already tried it and it works.

    My problem is that I want the proxy authentication to recognize my "special" users (and in this cases I can require to configure the user's client with a proxy.pac or explicit proxy config) but for all other I want a transparent proxy because rules are the same for everyone and because many devices/software are not designed to work behind a proxy.
    This is because I'm asking if there is any way to mix a transparent and an authenticated proxy in the same squid installation.

    The only other solution I see to use only a transparent proxy is to catch the ip addresses of my "special" users by domain controller logon logs (because I can not assign a static ip and they should be able to change their computer without loosing proxy privileges), do a live update in the squid ip addresses database and then grant request from this pool of ips to restricted urls. Anyone tried this solution in a windows environment?

    • Filter some url for everyone in the network except of an user group "marketing"

    SquidGuard does this.

    Yes, but this way I need an authenticated proxy… so seems that I an authenticated proxy (for special users)...

    • Access without a proxy configuration (for mobile devices or for ot well developed software that needs a direct http/https connection)

    Add a firewall rule(s) that allows those IP addresses to directly access ports 80 and 443 which you had previously blocked for everyone else to force use of the proxy.

    Access without proxy config should be used only for "normal/restricted" user, so in these cases I want to filter some urls. This is because seems that I also need a transparent proxy. I can not use a firewall rule because I can not have a static list of ip addresses and because I can not filter by URL.



  • I don't understand how this could work using one single IP running both explicit and transparent proxy with same Squid config  :o

    What I don't understand neither is how one could implement profiling (on a per user or per group basis) without prompting ALL users for authentication in order to determine their profile and therefore access rights  ???

    This said, if you are convinced that the only solution is what you describe, then you could configure another proxy somewhere on you (internal) network, configure this proxy as explicit proxy for clients allowed to use it (they should be prompted for authentication) then configure pfSense to redirect to transparent proxy all IPs but the one matching you internal proxy.
    Why not…  ::)



  • My needs are simple (aren't them?  :P) url filter and no authentication for everyone, who want to authenticate itself can bypass the url filter (if he is in the granted group).

    Maybe it is impossibile to implement both authenticated and transparent proxy with squid, but theoretically should be possibile: the requested of transparent proxy must be reroutered by the gateway (request comes from the gateway and not from client). Furthermore I can use multiple (virtual) ip's or better different ports: 3128 for authenticated, 3129 for transparent….  Am I right?

    What I understand squid act as transparent OR forward proxy and I can not change its behaviour by source ip/subnet address or listening tcp port.



  • I'm afraid you're missing something in the big picture if you look only at the gateway side without taking in account that your client handles one part of the configuration.
    Everything is not done gateway (or proxy) side.

    @tobiascapin:

    What I understand squid act as transparent OR forward (note: I would rather say explicit) proxy and I can not change its behaviour by source ip/subnet address or listening tcp port.

    Indeed and reason is mainly (as far as I understand) because proxy will have different behaviour when replying to browser (client) if configured as explicit or transparent.
    e.g. Squid is not supposed to send back HTTP 407 to browser when configured in transparent mode isn't it?
    So I believe that you will need 2 different proxies in order to achieve 2 different behaviours.
    Then if you want to run both on same server, I'm pretty sure you can achieve it (although I even never tried  :-[)

    (*) I'm suggesting to use explicit rather than forward because even when running transparent proxy, Squid will act as a proxy, handling request client side and performing request toward server.



  • @chris4916:

    I'm afraid you're missing something in the big picture if you look only at the gateway side without taking in account that your client handles one part of the configuration.
    Everything is not done gateway (or proxy) side.

    I'm really sorry, but I did not understand this sentence.  Can you better explain it for my very poor english? :-[
    As far as I know for transparent proxy I don't need any client configuration.

    I understand that there are big difference on HTTP transactions between explicit and transparent proxy… but this is a squid limitation because it can not switch from explicit to transparent behaviour according to some params getted in the very first HTTP exchange... I could say tcp port, ip source, subnet source and so on.
    If the request port is 3128 it can answer with 407 code, if the request is coming from 3129 port it skips the 407 reply and forward request to host.

    For example Apache HTTPD can be configured to require http authentication for requests coming from port 8080 and (the same daemon) does not require authentication from 8081. The same for the virtual host, source's ip address and so on.

    Don't you agree that it is technically possibile with a proxy?



  • I'm afraid my English is poor too  :-[

    What I meant is behaviour differs on each side whether proxy is transparent or not.

    BTW, it may work (I never tried) with one single Squid implementation and 2 listener defined, perhaps something like this:
    [code]http_port 3128
    http_port 3129 tproxy

    as far as I know, there is nothing stating this directive should be unique for one given address ???



  • Ok I got it. :D

    And do you know if there was any pioneer that tried to connect logon logs to squidguars?
    Do you know if it is possible to store a ip address list in a mysql table to use in squidguard's acls?

    Thank you for your help.



  • This seems an interesting answer. However he did not know if it is possible to set authentication to the explicit.proxy
    http://serverfault.com/questions/675743/squid-both-transparent-and-forward-mode



  • Squidguard based on ACL… well anything based on ACL (edit: IP)  except for servers is very strange to me in a world where almost everything is based on DHCP and where setting your own IP or even forging it is so easy.
    Anyway, you may want to look at X-Forwarded-For directive  ;)

    edit: sorry, I meant based on IP, not ACL



  • Ok, but my very first problem is to know if squidguard could read ip addresses lists from mysql db as it can do for users list.


Log in to reply