[squid-users] Squid Deployment Questions
Evan Blackstone
smashingzero33 at gmail.com
Wed Dec 31 05:59:57 UTC 2014
Hey all,
Wondering if I could get some advice on potentially setting up a Squid
forward proxy on my network. I'm not a Linux novice by any means, but I'm
not experienced in server administration, log review, etc.
We're needing to deploy a simple non-caching, non-peering forward proxy to
integrate with an ICAP server for web filtering. My plan is pretty
basic...here's my network config:
Internet --> Cisco ASA --> DMZ --> Internal LAN
I've received conflicting advice on whether or not there's any advantage to
putting a forward proxy on the DMZ vs. internal LAN. In any case, 'm
wanting to deploy an explicit proxy with a single NIC. Workstations will
use a PAC file, etc. to point to the proxy.
If the server is on the DMZ, I'd allow 80/443 from the internal LAN to the
DMZ, then allow 80/443 from the proxy to outside. I'd also be allowing the
proxy to internal LAN for ICAP, syslog, and possibly NTP. The proxy would
have a single interface...although it would NAT to outside for internet
access, there would be no ports open on the outside interface.
Based on some testing I've done, my squid.conf would be pretty basic...
http_access allow internalnetwork
cache deny internalnetwork
always_direct allow internalnetwork
http_access deny all
etc.
My questions are:
Does it sound like I'm on the right track here? Would the above described
configuration be safe? I've read that Squid should listen only on an
internal interface? What about when the server only has one?
What level of risk would I be assuming (regular patching included)? Given
that I'm relatively new to monitoring Linux servers for security, etc., is
this a bad idea? I'm not really sure what to be looking for log-wise in
terms of compromise. I have edge devices and monitoring on the perimeter,
but I don't really know what to look for on the server itself...
Am I approaching this the wrong way? Should I be looking at putting it on
the inside LAN? Would such an approach leave my network vulnerable should
the Squid box get owned?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20141230/677e42e0/attachment.html>
More information about the squid-users
mailing list