[squid-users] ICP, accelerator, security

From: <sean.upton@dont-contact.us>
Date: Tue, 28 Jan 2003 09:31:01 -0800

I am going to be running an accelerator that load-balances and caches for a
cluster of app server (Zope) boxes that have an HTTP server that supports
both HTTP and ICP. Each app-server node is treated as an ICP peer to the
accelerator. More background info is available at:
        http://www.zope.org/Members/htrd/icp/intro
        http://www.zope.org/Members/htrd/howto/squid

I have 2 quick security questions regarding http_accel_with_proxy:

1 - In order to use ICP on an accelerator, you need to enable
http_accel_with_proxy. Is this still the case?

2 - If it is the case, what is the best method for locking down Squid so
that abitrary proxying through this accelerator is unavailable to certain
networks? This accelerator serves a public web site, so access for
accelerator requests needs to be granted to all requests coming in on that
interface, but access to proxy requests (which are denied in accel-only
mode) shoul be denied to all traffic coming into that same interface. My
web-server/peer nodes reside on a private network (the accelerator is
dual-homed). ACLS? Tweak my redirector scripts?

I ask these becuase I couldn't find anything like this mentioned in the
Squid FAQ, and from looking at my cache.log, I know for certain that this is
a very real security need (attempts to use Squid in proxy mode fail, gets
noted in the log; I don't particularly want to open a hole in order to
support ICP).

Sean
Received on Tue Jan 28 2003 - 10:26:45 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:54 MST