F. wrote:
Hello,
I am thinking about make a [transparent proxy + http accelerator +
server] on the same machine.
But I do not know if it is secure this configuration.
->Lan to Internet: Transparent proxy using acl LAN, redirected port 80
to squid port in firewall. Destination all.
->Intenet to Server. http accelerator. 80 to 3128 redirected on
firewall. Destination only server domain names.
It's secure?
Could work fine in the same machine http accelerator and transparent
proxy with the same squid server?
Using 2.6+ or 3.0+ yes it should work fine.
2.5 and earlier had configuration problems.
Security level is all how you set your ACL and access lines in Squid.
The Server needs to run on a non-80 port or different IP address on the
same box (ie 127.0.0.1)
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl Safe_ports port 80 # http
acl Safe_ports port 1025-65535 # unregistered ports
acl CONNECT method CONNECT
acl SSL_ports port 443
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
I'd advise sticking 443 back in the Safe_ports.
The line above will drop all CONECT requests before they get to be
allowed. Just because the port is !Safe_ports
http_access deny CONNECT !SSL_ports
acl LAN src 192.168.1.0/24
http_access allow LAN
acl XENO dstdomain .my.server.com # Destination server from URL
http_access allow XENO
# Really I do not understand well how to make the union of two prerequisites, that should be:
# (source all acl && dstdomain .my.server.com) to allow access from Internet to server.
'all' has no effect when joined unless you want !all. It's always implied.
http_access allow localhost
http_access deny all
Looks like a good setup there for the Access Controls.
Just add 'transparent' and 'accel vhost defaultsite=my.server.com'
option to the matching http_port's
And some cache_peer to handle the accelerator back-end would be very useful.
Amos
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4