<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">And if your ICAP server allows it run it on the same host as Squid to minimize connection delays from squid <-> icap. E.g. ours (qlproxy) by default is run on
127.0.0.1.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Best regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Rafael<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> squid-users [mailto:squid-users-bounces@lists.squid-cache.org]
<b>On Behalf Of </b>Evan Blackstone<br>
<b>Sent:</b> Wednesday, December 31, 2014 7:00 AM<br>
<b>To:</b> squid-users@lists.squid-cache.org<br>
<b>Subject:</b> [squid-users] Squid Deployment Questions<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#333333;background:#E1EBF2">Hey all,</span><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#333333"><br>
<span style="background:#E1EBF2">Wondering if I could get some advice on potentially setting up a Squid forward proxy on my network. I'm not a Linux novice by any means, but I'm not experienced in server administration, log review, etc.</span><br>
<br>
<span style="background:#E1EBF2">We're needing to deploy a simple non-caching, non-peering forward proxy to integrate with an ICAP server for web filtering. My plan is pretty basic...here's my network config:</span><br>
<br>
<span style="background:#E1EBF2">Internet --> Cisco ASA --> DMZ --> Internal LAN</span><br>
<br>
<span style="background:#E1EBF2">I've received conflicting advice on whether or not there's any advantage to putting a forward proxy on the DMZ vs. internal LAN. In any case, 'm wanting to deploy an explicit proxy with a single NIC. Workstations will use a
PAC file, etc. to point to the proxy.</span><br>
<br>
<span style="background:#E1EBF2">If the server is on the DMZ, I'd allow 80/443 from the internal LAN to the DMZ, then allow 80/443 from the proxy to outside. I'd also be allowing the proxy to internal LAN for ICAP, syslog, and possibly NTP. The proxy would
have a single interface...although it would NAT to outside for internet access, there would be no ports open on the outside interface. </span><br>
<br>
<span style="background:#E1EBF2">Based on some testing I've done, my squid.conf would be pretty basic...</span><br>
<br>
<span style="background:#E1EBF2">http_access allow internalnetwork </span><br>
<span style="background:#E1EBF2">cache deny internalnetwork</span><br>
<span style="background:#E1EBF2">always_direct allow internalnetwork</span><br>
<span style="background:#E1EBF2">http_access deny all</span><br>
<span style="background:#E1EBF2">etc.</span><br>
<br>
<span style="background:#E1EBF2">My questions are:</span><br>
<br>
<span style="background:#E1EBF2">Does it sound like I'm on the right track here? Would the above described configuration be safe? I've read that Squid should listen only on an internal interface? What about when the server only has one? </span></span><o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#333333;background:#E1EBF2">What level of risk would I be assuming (regular patching included)? Given that I'm relatively new to monitoring Linux servers for security,
etc., is this a bad idea? I'm not really sure what to be looking for log-wise in terms of compromise. I have edge devices and monitoring on the perimeter, but I don't really know what to look for on the server itself...</span><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#333333"><br>
<br>
<span style="background:#E1EBF2">Am I approaching this the wrong way? Should I be looking at putting it on the inside LAN? Would such an approach leave my network vulnerable should the Squid box get owned?</span></span><o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>