AW: [squid-users] Distribued ACL| from Markus.Rietzler@dont-contact.us on 2007-01-22 (squid-users)

From: <Markus.Rietzler@dont-contact.us>
Date: Mon, 22 Jan 2007 13:44:43 +0100

>-----Ursprüngliche Nachricht-----
>Von: Tom Lobato [mailto:tomlobato@....]
>
>Hi Markus! Thank you.
>
>
>>>
>>> we work in a similar scenario. at about 150 subsidiaries. our
>>> squids are running
>>> on linux-servers, but it should make not much difference.
>>>
>>> we use a squid hierachy like:
>>>
>>> user-squid in subsidiary +-> squid main internet -> FW ->
>>> squid dmz -> internet
>>> +-> squid main intranet -> intranet
>>> +-> squid main extranet -> extranet
>>>
>
>I didnt understand the hierachy.

ok next try,

there is a squid-proxy in each subsidiary (user-squid), we have a "squid-cluster" at main head quaerter. these are "squid main internet/intranet/extranet". so there are running at least 3 different squid processes (eg ports 8081,8082,8083), installed and running on two machines - shortly 4 servers.
all requests have to go over our main squids - unless it is a "local" request in a subsidary.

>
>
>>> all user-squids are using "lokal" acls files. there are acls
>>> which choose the right main squid (internet, intranet, extranet).
>>> also some acls which deny or allow internet etc.
>>>
>
>What do you means with "choose the right main squid"?
>
all user-squids have a "few" (or many?) acls with which they can determine if they have to forward the request to "main intranet", "main extranet" or "main internet". so the user squid decides which type of request it is (intranet/extranet/internet) and then asks the responsible squid at our head quarter.

so that means:

some.local.server: user-squid -> DIRECT (if local.server is located in subsidiary)
some.main.server: user-squid -> squid main intranet -> DIRECT to some.main.server
some.subsidiaryB.server: user-squid (subA) -> squid main intranet -> "user"-squid in sub B -> some.subsidiaryB.server
www.google.de: user-squid -> squid main internet -> FW -> DMZ -> internet -> google.de

>
>>> we manage all acl on a central server. as soon we're making
>>> changes we have a "copy"-script that uses rcp/scp to
>>> distribute all acls to the user-squids and do a "reconfigure".
>
>Very good, I think my schema will be seemed like yours.
>With main difference that remote squid will be SquidNT
>(running on windows), and maybe I will implement a
>client/server pair for make updates as soon as central
>administrator change acls.
>
>
should make not much difference if you use squidNT or squid"Linux".

markus
Received on Mon Jan 22 2007 - 05:45:09 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST