Thanks very much for your reply Chris!
First off, I'm stuck using 2.5. It was a lot of work getting squid installed in the first place since the linux machine is located in another country and the administrator there is really unhelpful...
>> The HTTP part looks fine, but you won't be able to make a secure connection on port 443. It's set up as a http_port, not a https_port, for start. You can proxy secure connections over a http_port (it uses a tunneling method called "CONNECT").
Do you mean that I should remove the line -
http_port 10.20.1.1:443
and have my clients connect to 10.20.1.1:80 for both http and https? If not, what should I be doing for https?
>> Set it up as a reverse proxy
Should this work for both http and https? -
httpd_accel_host 10.251.60.180
httpd_accel_port 80
httpd_accel_single_host on
httpd_accel_with_proxy on
where 10.251.60.180 is the "network b" server I wish the machines in "network a" to connect to?
Thanks again, I really appreciate your help,
Barry.
--- On Thu, 5/21/09, Chris Robertson <crobertson@xxxxxxx> wrote:
> From: Chris Robertson <crobertson@xxxxxxx>
> Subject: Re: Connecting two networks via Squid
> To: squid-users@xxxxxxxxxxxxxxx
> Date: Thursday, May 21, 2009, 11:37 PM
> Harry Griff wrote:
> > Hello all,
> >
> > I'm about to configure my squid server and was hoping
> that you could confirm for me that i've got the right idea.
> >
> > My situation is that I installed Squid 2.5.STABLE
>
> Since you are just starting, get a recent Squid
> version. 2.5 has been
> out of support for quite a while.
>
> > on a suse machine which is routed via eth0 to
> "network A" and via
> > eth1 to "network B". I wish for clients in "network A"
> to access content on a server located in "network B".
> >
> > The protocols I wish to support are Http (80) and
> Https (443).
> >
> > Firewalls exist between my linux machine and network
> A, and between
> > my linux machine and network B. The firewalls are
> configured to only accept traffic via port 80 and 443.
> >
> > I have added networks A and B to my linux machine's
> routing table and
> > I can now ping from a machine in network A to the
> linux machine, and
> > from the linux machine to the web server on network
> B.
> >
> > So here's my current configuration which which I hope
> to test tomorrow -
> >
> > http_port 10.20.1.1:80
> > http_port 10.20.1.1:443
> >
> > acl All src 0/0
> > acl Manager proto cache_object
> > acl Localhost src 127.0.0.1/32
> > acl Safe_ports port 80 443
> > acl SSL_ports 443
> > acl CONNECT method CONNECT
> > acl MyNetwork src 200.168.0.0/16
> >
> > http_access allow Manager Localhost
> > http_access deny Manager
> > http_access deny !Safe_ports
> > http_access deny CONNECT !SSL_ports
> > http_access allow MyNetwork
> > http_access deny All
> >
> > To test this, I will attempt to access the "Network B"
> server from a machine on "Network A". In doing this, I will
> configure the browser proxy settings on the "Network A"
> machine as follows -
> >
> > HTTP Proxy: 10.20.1.1:80
> > SSL Proxy: 10.20.1.1:443
> >
> > And then attempt to access content from Network B.
> Does this sound correct?
> >
>
> The HTTP part looks fine, but you won't be able to make a
> secure
> connection on port 443. It's set up as a http_port,
> not a https_port,
> for start. You can proxy secure connections over a
> http_port (it uses a
> tunneling method called "CONNECT").
>
> > Secondly, is it possible to do the above using a
> transparent proxy instead?
>
> Transparent to your clients, yes. Set it up as a
> reverse proxy
> (accelerator) and have your clients on "Network A" connect
> to the proxy
> (via DNS or IP) instead of the server on "Network B".
>
> > I'm a little bit confused about ssl and man in
> the middle attacks. If I don't wish to configure the proxies
> settings on all machines in network A, should I be looking
> at configuring the iptables on the linux machine so that
> they forward the sll packets? I'm still a little unsure when
> it comes to configuring iptables...
> >
> > Thanks for your help,
> >
> > Barry.
>
> Chris
>
