Internet Related/Filtering/Firewall Thread, Transparent Proxy with LEA supplied squid server in Technical; I wish to add my own transparent proxy to remove the need to add proxy settings for any device that ...
10th May 2012, 02:27 PM #1
Transparent Proxy with LEA supplied squid server
I wish to add my own transparent proxy to remove the need to add proxy settings for any device that connects, specifically android devices with no proxy server options.
We have a squid proxy supplied by Birmingham LEA.
With squid being transparent aware, can I set up any old machine with another install of squid and let it do its thing?
Will HTTPS traffic just route to the squid (lea) as it cant be cached or fail?
IDG Tech News
10th May 2012, 02:39 PM #2
Also, will changing the default gateway to the transparent proxy give the desired effect or are there other ways of implementing?
10th May 2012, 03:06 PM #3
Quickest reply from the LEA ever! They gave a resounding yes to a transparent proxy and just said change the default gateway to the new proxy.
10th May 2012, 08:25 PM #4
You beat me to it, so to confirm.
Yes installing a new squid box (transparent) and pointing to your lea proxy upstream will work.
No https just dies, man in the middle attack etc.
Yeah change your default gateway to your transparent gateway and your good to go.
Works with all http traffic on all devices but be aware stuff like the android market allows you to view apps but not download them. It uses non standard ports to download. Hope it helps.
Thanks to TechieWils from:
10th May 2012, 08:31 PM #5
I've asked this very question in the past and I was told 'no'. For the exact same reason(s) that schools are starting to use a range of Operating Systems and not just Windows.
It would be nice if a transparent proxy option was offered to schools, even for a small fee wink, wink
10th May 2012, 09:19 PM #6
Apparently link2ict are investigating it but have found a number of issues with their infrastructure mainly the Cisco switches not being able to handle a specific protocol (can't remember which one now)
A little naughty but I just couldnt build my own squid box (more time and practice required) so I stuck smooth wall express on a vm to test it out and works like a charm. It's also put us on a path to get a proper smoothie box and finally leave bgfl.
10th May 2012, 09:44 PM #7
I find that a little surprising. Cisco are one of the market leaders, so you'd expect them to handle most protocols out there (but I'll take your word for it).
Either way, the need for transparent proxies is becoming more of an issue and at the end of the day, 99.9% of teachers do not care what a proxy is and they just want things to work (quite rightly).
10th May 2012, 09:50 PM #8
Completely agree with you they need to get it sorted and start offering a real transparent proxy solution instead of saying do it your self it does work and that's it. I'll dig the document out they sent me I know it's round here somewhere...
10th May 2012, 09:55 PM #9
Found it but can't upload it from my phone so will in the morning. The protocol was WCCP on Cisco edge switches btw
10th May 2012, 09:59 PM #10
A quick google reveals it may be the WCCP protocol (Web Cache Communication Protocol)
Edit: Beat me to it reading up on it!
11th May 2012, 07:40 AM #11
If you place a firewall on the box something like firehol you can set it to forward the ports to either the internet squid or the county proxy like for ssh. Proxy can change the packet when they come through so it looks like its been tampered with.
You can also put dansguardian on as well so the firewall passes the traffic to dansguardian and then onto squid so you can have a filtered transparent proxy.
The transparrent proxy is a good idea from the point that you dont have to put setting into ie but not for security. If someone gets onto the network they can have direct acess to the internet. We are setting this up at the moment for a hotspot vlans with two cards in it.
11th May 2012, 08:18 PM #12
I just did this a couple months ago for a segregated guess WiFi VLAN. I setup Squid 3.0 as a transparent proxy and iptables to pass the traffic between NICs. Port 80 gets forwarded to Squid, a couple ports go straight through, and the rest get blocked. Once through, Squid will then forward the traffic up to the ISD for content filtering. The whole thing runs in a VM and even has a captive portal splash page for users to accept our terms of service. It works nicely, but as already noted, HTTPS doesn't forward through Squid.
14th May 2012, 11:03 AM #13
How did you get the redirect to work on the first screen. We have tried to get this to work but it will not work.
Originally Posted by Duke5A
14th May 2012, 04:04 PM #14
I used this guide to get IPtables to route traffic between the NICs and forward port 80 to Squid.
Originally Posted by ricki
Linux: Setup a transparent proxy with Squid in three easy steps
The only thing it doesn't cover is restoring the rules on reboot. IPtables will revert back to a stock configuration after every reboot unless you import the rules again. The answer to this is in post #13 of this thread.
[ubuntu] Ubuntu v8.10 Auto Start IPTables - Page 2 - Ubuntu Forums
I hope this helps...
14th May 2012, 06:54 PM #15
I've heard this argument before, but it's not a good argument in my opinion. To access the LAN itself you'll need to break into the building or if you can access and break the WLAN, you probably have a poor wireless configuration/security setup.
Originally Posted by ricki
Modern wireless encryption such as WPA2-PSK AES is pretty much unbreakable. There's always at least one wireless network which is wide open or poorly secured with WEP and these are the kind of networks (if I were that way inclined) I would target.
If you wanted to go further, you could easily switch on/off wireless access points or configure Mac address filtering. There's so much you can do these days and manually entering a proxy is considered tedious by many, especially teachers who have to enable it at school and disable it at home.
Last Post: 24th February 2010, 03:06 PM
Last Post: 4th June 2008, 12:26 PM
By FN-GM in forum Wireless Networks
Last Post: 25th February 2008, 05:33 PM
By Jackd in forum Wireless Networks
Last Post: 14th February 2008, 05:18 PM
By Jackd in forum Network and Classroom Management
Last Post: 25th July 2007, 07:54 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)