Re: Squid security and function as an HTTP accelerator

At 10:44 00-03-14, Reuben Farrelly wrote:
>1. Would squid (running as user squid, not root of course) be regarded as
>"safe" compared to using NAT? I'm talking in terms of preventing direct
>access from the customers LAN to the outside world, and also preventing
>direct connections into the LAN (hoping to avoid reverse NAT). I haven't
>read of any security issues but would prefer to ask than just assume :>

If correctly setup - yes because you can EXACTLY setup what and from what
can be accessed - second is that that squid is WWW/FTP proxy no more!
(squid e.g. cannot be use to break in in to shell account...}.

>2. If I use Squid also as an HTTP accelerator, would it be safer than
>running a web server on a routable address, I'm thinking of shielding the
>world from (as an example) a Microsoft IIS server which seems to have been
>the subject of some security holes. Would Squid on a routable address,
>accelerating in front of this server make this a much safer setup than
>direct access to the IIS via reverse NAT (from a routable address on the
>proxy to the web server on the unroutable segment)?

Normally it was used via NAT, but if you use squid as rev. proxy second
idea will be better (squid as rev. proxy + on unroutable net WWW server)....

>3. Using Squid for both an accelerator and a proxy, do I need to define
>any ACL's specifically for the accelerator component? While the world can
>access the accelerated service, they shouldn't be able to use the box as a
>cache...that's for internal clients only.

Yes - better will be write some acl's (on which you define what and from
where can be accessed)....

****************************************************************
* Bartlomiej Solarz-Niesluchowski *
* Administrator WSISiZ *
* Motto - nie psuj Win'9x one i bez tego sie psuja.... *
* Jak sobie poscielisz tak sie wyspisz *
****************************************************************
Received on Tue Mar 14 2000 - 03:24:27 MST