[squid-users] Connecting two networks via Squid

From: Harry Griff <bg_ie_at_yahoo.com>
Date: Thu, 21 May 2009 15:05:57 -0700 (PDT)

Hello all,

I'm about to configure my squid server and was hoping that you could confirm for me that i've got the right idea.

My situation is that I installed Squid 2.5.STABLE on a suse machine which is routed via eth0 to "network A" and via
eth1 to "network B". I wish for clients in "network A" to access content on a server located in "network B".

The protocols I wish to support are Http (80) and Https (443).

Firewalls exist between my linux machine and network A, and between
my linux machine and network B. The firewalls are configured to only accept traffic via port 80 and 443.

I have added networks A and B to my linux machine's routing table and
I can now ping from a machine in network A to the linux machine, and
from the linux machine to the web server on network B.

So here's my current configuration which which I hope to test tomorrow -

http_port 10.20.1.1:80
http_port 10.20.1.1:443

acl All src 0/0
acl Manager proto cache_object
acl Localhost src 127.0.0.1/32
acl Safe_ports port 80 443
acl SSL_ports 443
acl CONNECT method CONNECT
acl MyNetwork src 200.168.0.0/16

http_access allow Manager Localhost
http_access deny Manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow MyNetwork
http_access deny All

To test this, I will attempt to access the "Network B" server from a machine on "Network A". In doing this, I will configure the browser proxy settings on the "Network A" machine as follows -

HTTP Proxy: 10.20.1.1:80
SSL Proxy: 10.20.1.1:443

And then attempt to access content from Network B. Does this sound correct?

Secondly, is it possible to do the above using a transparent proxy instead? I'm a little bit confused about ssl and man in the middle attacks. If I don't wish to configure the proxies settings on all machines in network A, should I be looking at configuring the iptables on the linux machine so that they forward the sll packets? I'm still a little unsure when it comes to configuring iptables...

Thanks for your help,

Barry.

      
Received on Thu May 21 2009 - 22:06:06 MDT

This archive was generated by hypermail 2.2.0 : Fri May 22 2009 - 12:00:01 MDT