Squid: Transparent Proxying Mode

[StarTAC]

hi.. am running squid on one of my servers, and i want to have all the p'ple connecting thru my satellite link to have access to the cache server.. however, i don't wanna go around configuring each other browsers.. how do i setup squid to run in transparent mode..?..

u might also wanna know that each of my users has their own public ip address... which is on the same subnet as the squid server....

thanks.. AKNIT

 

[pmkincaid]

Couple of options -- first if all of your people go through a firewall to get to the outside world, you can set up the firewall to redirect all port 80 traffic to the squid server.
Second option, install a switch between your users and the outside world that is capable of transparent redirection. Foundry Networks (

http://www.foundrynet.com)

has the ServerIron and Alteon (now Nortel) has a switch that can do this. Just drop the Squid Server off this switch and redirect all port 80 traffic seen by the switch to the Squid Server.

Take a look at Squid's FAQs, there is a section there talking about this.

Hope this helps,
Paul

 

[marsd]

The 2.2 and 2.4 kernels can do advanced
routing and transparent proxying-the idea
is to use ipmasqadm and ipchains to set up
a transparent forwarding of all port accesses
through your web proxy.
Linux routers by Tony Mancill has a good
chapter on this and the man pages and routing
howto should be of help.

Good Luck.

 

[StarTAC]

thanks for the info... however, my clients have direct access to the net.. not thru a proxy.. i have a cisco switch, and was hoping the squid server would pick up on the HTTP requests from there.. u think that's possible, coz the Alteon Web Switching solution is a bit pricy.. though better...

AKNIT

 

[pmkincaid]

The only way you are going to be able to do it with out a Alteon or Foundry switch is by placing you Squid box in-line with your users. A Cisco switch is simply a layer 2 switch - the others are Layer 2 and 4, so they can switch on content also.

You could simply put a Linux box between the users and the internet and as marsd said use ipchains/ipmasqadm -- or better yet, use iptables with the 2.4 kernel, it can do it all. Adding one additional hop should not affect your users' connection speeds -- plus with the cache in-line, you users will more than likely see an speed improvement on their surfing.

Hope this helps,
Paul

 

[StarTAC]

hey guys..thanks for all the inof..in case i did go with the solution for having the cache server in-line... diectly between the users and the internet, would it be possible to setup the network cards so that one can receive the user's packet on the public ip network, and then use another network card in the cache server to transit that packet over to the router..?.. this way, the second card would act as a bridge.. a very transparent bridge between the user, and the router, but without having to change anyone's ip addresses... upon reception of a packet, the squid server will analyse the header to see whether it's HTTP or HTTPS, and then look up its database for a matching HIT.. or object, if available, it will serve the page from cache, if not, it should then be able to send the packet on its way to the router, unaltered..... this is the scenario i am looking at.....

please advise how this would be possible... i currently have this configuration for my bandwidth manager... bridging both networks... but it runs FreeBSD...

i appreciate all feedback....

AKNIT