Re: Squid security and function as an HTTP accelerator

PISS OFF I UNSUBSCRIBE!!!!!!!!!!!!!!!!!!!!!!

----------
> From: Reuben Farrelly <reuben-squid@reub.net>
> To: squid-users@ircache.net
> Subject: Squid security and function as an HTTP accelerator
> Date: 14 March 2000 09:44
>
> Hi people,
>
> As part of my work at an ISP, I'm involved in the design/implementation
of
> "client side" servers which will sit on the clients side of a network
link
> to us. These Linux boxes are going on the clients side for a number of
> reasons, but mainly to act as gateway devices on which we are going to
run
> a small number of services, usually just Squid and a relaying qmail
> daemon. These boxes will have two NIC's in them, one with a routable and

> another with an unroutable address. There will be by default, no routing

> or nat between the NIC cards as Squid should listen on both interfaces.
>
> The intention is to make the box very secure (no logins except from a
very
> specific list of IP addresses), and also to hide other services on
internal
> address space behind the box, but make the services available to the
wider
> world as well. This will also give us access to logs which show the
> traffic out of the network.
>
> I'm looking at using Squid to do two functions here:
>
> * A typical squid proxy for clients on the internal networks
> * An HTTP accelerator for visitors to the web site on the external
interface
>
>
> But I have a few questions:
>
> 1. Would squid (running as user squid, not root of course) be regarded as

> "safe" compared to using NAT? I'm talking in terms of preventing direct
> access from the customers LAN to the outside world, and also preventing
> direct connections into the LAN (hoping to avoid reverse NAT). I haven't

> read of any security issues but would prefer to ask than just assume :>
>
> 2. If I use Squid also as an HTTP accelerator, would it be safer than
> running a web server on a routable address, I'm thinking of shielding the

> world from (as an example) a Microsoft IIS server which seems to have
been
> the subject of some security holes. Would Squid on a routable address,
> accelerating in front of this server make this a much safer setup than
> direct access to the IIS via reverse NAT (from a routable address on the
> proxy to the web server on the unroutable segment)?
>
> 3. Using Squid for both an accelerator and a proxy, do I need to define
any
> ACL's specifically for the accelerator component? While the world can
> access the accelerated service, they shouldn't be able to use the box as
a
> cache...that's for internal clients only.
>
> And lastly. It's been on this list a few times but not lately, what's
the
> ratio of memory to disk space typically used - does 1MB RAM accomodate
> about 25MB of disk storage space? [Correct me if I am wrong]
>
> Thanks for any answers. Alternative suggestions are also welcome...I
have
> a feeling about some of the answers, but just want to be more sure before
I
> look more like an idiot if something doesn't work as I anticipate ;)
>
> reuben
> -------------------------------------------------------------
> Reuben Farrelly West Ryde, NSW 2114, Australia
Received on Wed Mar 15 2000 - 01:47:20 MST