This is a bit of a odd duck, but.... The university I work for has a bunch of library pages that can only be accessed from on campus as they are hosted off site and authenticated by IP address. However, they want currently enrolled students to be able to use those pages from off campus as about 30% of our students live off campus these days.
I said Bah this is easy, squid to the rescue! And rescue it did (by the way thanks so much for it!). But a new problem has surfaced. The users don't ever turn their proxy settings off. Some are uninformed, some think the Internet will break without this on, and some think it is faster to proxy to us. They are all wrong of course, but alas... So my squid box is at times eating up most of our bandwidth from people who are not using it at all the way it should be used. I said "Screw it" and boosted the cache size. Performance improved dramatically. Now a new beast has come out and dragged the last one with it. We have some students studying in Spain who want to use the pages. I gave them the standard "Configure it for the proxy" email, but they are using access at the local Internet cafe which will not (for good reason) give them the rights on the local system to reconfigure the proxy settings. Then my bosses boss says "Hey U of I has their library pages setup with a transparent proxy some how. Can we do it like that?" I have yet to see proof that this works as advertised... Basically what they want from me is when people click the link to access the resource in question it will flip the system into a transparent proxy mode for IP address not in range A, prompt for a username/password and sit man in the middle. For systems in range A they want it to do what it does now - nothing. U of I has said they are using EasyProxy to do this. It seems silly to me to pay for a baby proxy system when I could use Squid. So, to the question at hand: Are there some docs some where I could read to figure out how to man in the middle some traffic, but not others. And make the traffic I pick on login? My ideas thus far involve basically, use iptables PREROUTING to push traffic at "IP not A" through squid, but this doesn't make me authoritative for their DNS and these people are off site so I can't exactly make myself their default gateway. Even if I could (some how?), it would require transparent proxy auth which is impossible if my understating of how stuff works is valid (which it might not be). My understanding of the problem makes it impossible to perform, but you are greater proxy experts than I... Wow, you got all the way down here... dang.... I will accept vaguely half formed, partially coherent theories just to keep my own mental gears turning. Anything at all you could contribute would be tremendously helpful (this includes, the proposed task is impossible proofs as well, but sadly I would need a strong argument to hand up the chain as they look at me funny when I say this doesn't sound possible). Pat
