And if your ICAP server allows it run it on the same host as Squid to minimize connection delays from squid <-> icap. E.g. ours (qlproxy) by default is run on
127.0.0.1.
Best regards,
Rafael
From: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx]
On Behalf Of Evan Blackstone
Sent: Wednesday, December 31, 2014 7:00 AM
To: squid-users@xxxxxxxxxxxxxxxxxxxxx
Subject: [squid-users] Squid Deployment Questions
Hey all,
Wondering if I could get some advice on potentially setting up a Squid forward proxy on my network. I'm not a Linux novice by any means, but I'm not experienced in server administration, log review, etc.
We're needing to deploy a simple non-caching, non-peering forward proxy to integrate with an ICAP server for web filtering. My plan is pretty basic...here's my network config:
Internet --> Cisco ASA --> DMZ --> Internal LAN
I've received conflicting advice on whether or not there's any advantage to putting a forward proxy on the DMZ vs. internal LAN. In any case, 'm wanting to deploy an explicit proxy with a single NIC. Workstations will use a
PAC file, etc. to point to the proxy.
If the server is on the DMZ, I'd allow 80/443 from the internal LAN to the DMZ, then allow 80/443 from the proxy to outside. I'd also be allowing the proxy to internal LAN for ICAP, syslog, and possibly NTP. The proxy would
have a single interface...although it would NAT to outside for internet access, there would be no ports open on the outside interface.
Based on some testing I've done, my squid.conf would be pretty basic...
http_access allow internalnetwork
cache deny internalnetwork
always_direct allow internalnetwork
http_access deny all
etc.
My questions are:
Does it sound like I'm on the right track here? Would the above described configuration be safe? I've read that Squid should listen only on an internal interface? What about when the server only has one?
What level of risk would I be assuming (regular patching included)? Given that I'm relatively new to monitoring Linux servers for security,
etc., is this a bad idea? I'm not really sure what to be looking for log-wise in terms of compromise. I have edge devices and monitoring on the perimeter, but I don't really know what to look for on the server itself...
Am I approaching this the wrong way? Should I be looking at putting it on the inside LAN? Would such an approach leave my network vulnerable should the Squid box get owned?
|
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users