Ive been trying to understand the requirements for a proxy server with content filtering software in a given network. My main confusion is whether or not this sort of server needs to be a gateway having dual nics for wan and lan or not. In other words, can I have a server on the same network as my clients and configure squid with dansguardian using one network card? If the answer is that it does not need to be a gateway, would there be a way to filter and block https traffic as well? Most of the how-tos' found online are with using pfsense (obviously as a gateway) and installing proxy and content filtering packages on top.
Squid Proxy + Content filtering + Gateway
gatewayPROXYsquid
Best Answer
You don't need to run an HTTP proxy+cache+filter on the border device, but it makes the setup a bit simpler.
If you aren't running it on the border device then you have to do work to get your clients to send their requests to the proxy. This could by done through WPAD, group policies on a Windows network, some kind of configuration management system.
If you intend on filtering HTTPS, then you are going to be required to configure clients, since you must push a CA certificate in to the local certificate stores so that you filter can MITM the HTTPS traffic and do any content filtering. So configuring the clients to use the proxy might not be too bad.
As for the setup, on a non gateway device, it is pretty straight forward. Just install the required software on the proxy server. On your firewall block all output http/https traffic except for traffic that comes from the proxy server. Then configure your clients to use the proxy server.