> So the plan is to run a Squid server (service?) on every
> computer that is going to access the internet?
That's the idea we're throwing around, yes.
> While that should certainly work, I wouldn't want to be
> the one responsible for the maintenance thereof.
> Every computer's squid.conf is going to need to be hand
> edited to supply different credentials,
Why do they have to supply different credentials? That's what disc
images are for. :-)
> and somehow locked down so those credentials can't
> be changed.
That's what root is for. :-)
> Every computer is going to need to perform interception
> of its own traffic.
So what's the problem there?
> Additionally, you have all the caveats of interception proxies.
Yup.
> Perhaps if we knew more about the setup and requirements,
> alternative solutions could be proffered.
My company is a third-party provider of services to automotive
dealerships. All of our order management systems are web based so
that we can access them from any dealership (or any computer) in the
world. We provide computers (Apple G4s to be specific) so that there
is no cost to the dealership to be on our program.
The problem comes in at dealerships that are coporately-owned that
will not allow our computer to access their network. And yes, I've
tried repeatedly to use their network, but no dice. So we must
provide our own internet connection in these dealers. The problem we
have is that some of our staff are spending more time surfing
myspace.com (or much, *much* shadier sites) than they are selling
product.
To resolve this problem, we setup a Squid server with an ACL of
whitelsited domains. Then the problem we had is that first thing in
the morning when Firefox asks for a user/pass for the proxy (since
their last auth expired), the user, who is dumb, attempts to enter
some other u/p to login, for example email u/p, system u/p or
something else that they pull out of the air, which obviously makes
them get denied access to the cache. Then they call us complaining
that the computer "broke."
So we started kicking around ideas and thinking about some way to meet
the following criteria:
+ Centralized domain whitelist that can be easily managed by our IT staff
+ Forcing all user traffic through said proxy w/out prompting the user for a u/p
+ Doing all this w/out creating an open proxy.
Obviously this would be much easier if all of these machines were on a
LAN, but they aren't.
Received on Tue Feb 21 2006 - 16:20:04 MST
This archive was generated by hypermail pre-2.1.9 : Wed Mar 01 2006 - 12:00:03 MST