Im not in the loop for server software... Whats the best proxy server (preferably open source, but commercial is also fine) that can display an 'Acceptable Use Agreement' page for the initial use (per session) before web traffic can be proxy'd?

what I'd like to do, for a vlan segment, is to set the gateway address for dhcp assignments as the proxy server, so when people browse, all their packets get passively sent to the proxy (since it is the gateway), and for those users to be notified of this, and have to agree to terms and conditions before continueing. I figure someone out there has some system experience at this end.

[Edited on August 18, 2008 at 1:29 PM. Reason : .]

8/18/2008 1:26:41 PM

Squid is the most popular open source proxy server, if you're familiar with linux.

You can set the gateway to be a linux box and use iptables to do the blind proxying. or you can use a cisco router or layer3 switch that supports WCCP to redirect the user's web traffic to the proxy server.

if you want something more turn-key, mikrotik router OS (modified linux) can be put on a low-end pc and has a 'captive portal' feature that will force users to click agree on a webpage before they can surf

8/18/2008 2:08:09 PM

Perfect. Thats what I needed. I figured I could do it with squid, but squid gets a little deep for me at times. I'll check out the other one.

8/18/2008 2:10:55 PM

yeah put something like pfSense on a box and set up a captive portal +squid. if you use the wizards + the doc, its hard to mess up

8/18/2008 2:23:15 PM

Well, if I dont plan on doing any NATing, with pfsense, cant I just run that on its own and leave squid out of it? (I really hate squid). I only mentioned the proxy server before, because I felt that was the way to tackle it. But if the captive portal will do it, then Im happy.

8/18/2008 4:20:31 PM

you can just use pfsense for that and host the default homepage on there. you can also do 802.1x with it like blue socket

8/18/2008 7:20:52 PM

yup

do you want web traffic proxied? or do you just want to display an AUP?

8/18/2008 10:16:18 PM

The web traffic does not need to be 'proxied' per say. The device can simply act as a gateway/firewall. I want it to intercept the first web packet it sees from a flow, throw up an AUP notice, then continue forwarding traffic. Ideally I'd like it to pass more than just web, but thats icing on the cake during the initial run.

8/19/2008 10:07:12 AM

yeah just set up a pfsense box with two nics, one on your network (we'll call this if0), the other on a different subnet (if1)

configure pf's default gateway to be your existing gateway on if0
set up captive portal on if1
it will catch DNS queries and redirect them to your captive portal page until your page clears their auth
only catch is that it won't catch traffic that doesn't do dns lookups first (fortunately almost all apps use dns however)

since they're on different subnets the only way traffic can get out to the web is through your pfsense box, and these nodes can't access resources on your local network (if0).

8/19/2008 11:05:25 AM

Thank you very much for sending me to pfsense. I was able to get this installed on a server and completely functioning as desired in under 2 hours. This is some pretty cool stuff and extremely polished for open source. I might end up using more functionality built in.

8/19/2008 5:27:04 PM