Squid migration to transparent proxy

Bl8ckr0uter

So right now we have an old version of squid which is causing some problems (mostly it is an administrative headache). My coworker wants to get rid of it and use our Sonicwalls (when fully in place) as our proxy. I have another idea. I plan to rebuild squid as a transparent proxy. One of the main reasons why I want to do this is so that we can take our proxy address out of our web browsers (and not have to put it into visitors browsers on our lan). Does anyone have any experience with squid or building a transparent proxy. I'd like to get this done before the end of the year (if it isn't to much of a burden since I have a few other projects to do as well).

Bl8ckr0uter

I should also mention that I plan on running this on a CENTOS box.

L0gicB0mb508

Squid can sometimes be a bit tricky to configure. It's definitely not hard to do, but I would find a configuration guide for your specific version of squid and edit it as needed. There are a lot of parameters in the conf file, so that's why I recommend using an install guide. I built one running on a CentOS box and it was pretty stable. It should only take you a little bit of time to do it and test it, so it should be a short project for you.

Bl8ckr0uter

L0gicB0mb508 wrote: »

Squid can sometimes be a bit tricky to configure. It's definitely not hard to do, but I would find a configuration guide for your specific version of squid and edit it as needed. There are a lot of parameters in the conf file, so that's why I recommend using an install guide. I built one running on a CentOS box and it was pretty stable. It should only take you a little bit of time to do it and test it, so it should be a short project for you.

Do you think it would be difficult to migrate it to a transparent proxy?

L0gicB0mb508

Bl8ckr0uter wrote: »

Do you think it would be difficult to migrate it to a transparent proxy?

Not at all. You'll have to change the proxy settings on your client machines, but that should be it.

broc

Bl8ckr0uter wrote: »

Do you think it would be difficult to migrate it to a transparent proxy?

L0gicB0mb508 wrote: »

Not at all. You'll have to change the proxy settings on your client machines, but that should be it.

Well, you do need to change a few more things but not that much. You can update the proxy settings on your client via GPO so that's not a problem (except if you have a mix environment with machines not linked to AD).

On the squid side, there isn't much to change at all and the main modification will be on your client default gateway that you will need to configure to forward your web traffic to your Squid box. There is a few different way to do it depending on what gateway/router you are using.

Have a look at this link:

SquidFaq/InterceptionProxy - Squid Web Proxy Wiki

That should give you an idea on what you need to do.

Bl8ckr0uter

broc wrote: »

Well, you do need to change a few more things but not that much. You can update the proxy settings on your client via GPO so that's not a problem (except if you have a mix environment with machines not linked to AD).

On the squid side, there isn't much to change at all and the main modification will be on your client default gateway that you will need to configure to forward your web traffic to your Squid box. There is a few different way to do it depending on what gateway/router you are using.

Have a look at this link:

SquidFaq/InterceptionProxy - Squid Web Proxy Wiki

That should give you an idea on what you need to do.

Thanks dude! This is exactly what I was looking for.

broc

Bl8ckr0uter wrote: »

Thanks dude! This is exactly what I was looking for.

You're welcome, glad I could help

Bl8ckr0uter

broc wrote: »

You're welcome, glad I could help

Now all I need to do is redo the group policy, upgrade and rebuild the squid box, and then life will be good.

it_consultant

Why would you use the sonicwall as a proxy, it should function as an inline filter. Thats how our web filters are set up...

Bl8ckr0uter

it_consultant wrote: »

Why would you use the sonicwall as a proxy, it should function as an inline filter. Thats how our web filters are set up...

Because that is what the other admin and my boss want. I am pretty much thinking that I want to use the sonicwall as a firewall and (I guess) gateway AV/SP protection. I want to build a snort box as our IDS/IPS and rebuild the squid box as our web proxy. I have read bad things about sonicwalls in general but especially in those two areas.

it_consultant

I think sonciwalls are the devil incarnate, I am just thinking that since the stupid FW is in line of the traffic, I can't imagine a seriously good reason to use a proxy. Proxies are annoying because anyone with half a brain can download firefox and get around the filter no problem. In that case you have to filter port 80 to force people to go over the proxy, this option is also not desirable.

Are you thinking of putting your squid device inline with the firewall? Sort of like a transparent bridge?

Bl8ckr0uter

it_consultant wrote: »

I think sonciwalls are the devil incarnate, I am just thinking that since the stupid FW is in line of the traffic, I can't imagine a seriously good reason to use a proxy. Proxies are annoying because anyone with half a brain can download firefox and get around the filter no problem. In that case you have to filter port 80 to force people to go over the proxy, this option is also not desirable.

You don't know our users.

One of the reasons I asked about a transparent proxy is the one you just mentioned (although we do lock some things down by gp). It is really, really annoying when people take their laptops homes and have to remember to undo the proxy when they want to browse and then redo it when they vpn in. That's why I want a transparent one. From the link that broc mentioned, it doesn't seem that bad. Do you have a different experience with them? (proxies and/or transparent proxies and/or squid)

it_consultant wrote: »

Are you thinking of putting your squid device inline with the firewall? Sort of like a transparent bridge?

I honestly don't know because I don't know what would be best. If I put it inline, I am concerned about it failing (and not failing open). Is this the way you woud/have done it?

Oh and as far as why (just in case you were wondering) , our wan pipe isn't the biggest and I don't think we are going to get an upgrade anytime soon so we need to make the most of our bandwidth.

it_consultant

I would most certainly put it inline as a transparent filter. The off chance of a fail closed scenario is far less of a pain than keeping up a proxy. Since you have the know how to set up squid, thats a great option, I would also set up spamkiller and use your CentOS box as a smart host for your exchange server.

I do this for my customers but I use things like WG and barracuda since I have NO desire to mess around with squid. I realize the underpinnings of those devices are probably just squid, and I am paying for something I could otherwise get for free.

Bl8ckr0uter

it_consultant wrote: »

I would most certainly put it inline as a transparent filter. The off chance of a fail closed scenario is far less of a pain than keeping up a proxy. Since you have the know how to set up squid, thats a great option, I would also set up spamkiller and use your CentOS box as a smart host for your exchange server.
.

That's a good point. The previous admin had issues with squid and it was never maintained (I need to move up off a 1.0 version

broc

Technically, Squid will not be inline even in transparent mode as the traffic will just get forwarded from your firewall. What you can do however is set up your firewall to check for connectivity with Squid and have it bypass the proxy in case of loss of connectivity.