Re: [squid-users] advice for proxy architecture

From: <lderuaz@dont-contact.us>
Date: Tue, 18 Jan 2005 13:57:50 +0100

Thanks for these advices.

I've thought that it was better to have dedicated proxys (internal for
authentication and intranet access, external for internet access) to distribute
functions and cache capacities.

But I am going to consider your opininon. However, if i only use internal
proxies, is there any risk (such as hijacking) to have some direct
communication from my Lan server to Internet ?

Security is for me (as for everyone) a big constraint in our context.

> On 14.01 11:49, lderuaz@free.fr wrote:
> > Here is my squid architecture :
> > I am using Squid Version 2.5.STABLE7 and Samba 3.0.9 on Red Hat ES3.0.
> > I've got two internal proxies on which are performed the NLTM
> > authentication of the users. There are configured to forward request to
> > some remote proxies (in other sites of the company), or to two redundant
> > external proxies used for internet access.
> >
> > I am studying how to optimise my proxy architecture, and am looking for
> > advices.
> >
> > Based on your own experience, is it better to keep the architecture 1 :
> >
> > Client <--> internal proxies <--> FW <--> External proxies <--> Internet
> >
> > or the architecture 2
> >
> > Client <--> internal proxies <--> FW <--> Internet
>
> the second one is easier and you won't get any benefit of the external
> proxy.
>
> > Do find some particular advantages to have additionnal external proxies
> > (in term of performances, security, ......)
>
> no.
>
> > or do you think that having only two internal proxies for all trafic
> (remote
> > site, internet traffic) is sufficient and not risky ?
>
> yes.
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Christian Science Programming: "Let God Debug It!".
>

--
Received on Tue Jan 18 2005 - 05:57:52 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST