[KLUG Members] Enhancement to Transparent proxy Squid

Adam Tauno Williams awilliam at whitemice.org
Mon Jan 9 06:34:42 EST 2006

Previous message: [KLUG Members] Enhancement to Transparent proxy Squid
Next message: [KLUG Members] ACPI configuration
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Linux is running on a server between a Cisco Firewall and a cluster of MS
> virtual name servers and other functions. I have configured "Transparent proxy
> with Squid" which addresses our configuration with one exception. An elegant
> solution in my application would be for Squid to receive all external requests
> from the Internet on one IP network adapter (IP address 1), and forward them on
> the second (IP address 2). 

Unless I'm missing something wouldn't this just be a routing issue?

Isn't this what Squid does when in accelerator mode?

> Internal requests to the Internet would initiate on
> the second and forward out on the first. This configuration would require all
> external traffic to go through the proxy. I have several ranges of ports that I
> wish to pass on a one-for-one basis. The are also a number of traffic types
> (FTP, HTTPS, SNTP, SMTP, Digest mode authentications, etc.). We could declare
> "acl Safe_ports" but those are well handled by the Cisco firewall. Can you
> provide additional configuration suggestions to implement this configuration? 

I don't see what SNTP or SMTP has to do with Squid?

> I realize that this is not the most secure implementation of Linux, 

? 

> but in my
> case, all of the protected data resides on secure MS servers. I am 
> implementing in this manner to prevent successive hacks though a series of MS
> machines. Going through a buffered proxy in Linux should make it significantly
> more difficult to exploit a MS security hole. 

I don't see why, especially if the requests are encrypted, in which case
they pass through as DIRECT.  I think to gain any real security you'd
have to do something like run the requests through Apache and use
mod_proxy to have Apache front-end the requests;  that I think would be
a more substantive 'rind' to place around your IIS servers than squid
would be - squid is really a performance, and possibly auditing, tool
not a security tool.   You could also then offload all the SSL
enrypt/decrypt work from your IIS servers which are really lumberingly
slow anyway.

Previous message: [KLUG Members] Enhancement to Transparent proxy Squid
Next message: [KLUG Members] ACPI configuration
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Members mailing list