Re: [squid-users] Connecting two networks via Squid

From: Chris Robertson <crobertson_at_gci.net>
Date: Thu, 21 May 2009 14:37:02 -0800

Harry Griff wrote:
> Hello all,
>
> I'm about to configure my squid server and was hoping that you could confirm for me that i've got the right idea.
>
> My situation is that I installed Squid 2.5.STABLE

Since you are just starting, get a recent Squid version. 2.5 has been
out of support for quite a while.

> on a suse machine which is routed via eth0 to "network A" and via
> eth1 to "network B". I wish for clients in "network A" to access content on a server located in "network B".
>
> The protocols I wish to support are Http (80) and Https (443).
>
> Firewalls exist between my linux machine and network A, and between
> my linux machine and network B. The firewalls are configured to only accept traffic via port 80 and 443.
>
> I have added networks A and B to my linux machine's routing table and
> I can now ping from a machine in network A to the linux machine, and
> from the linux machine to the web server on network B.
>
> So here's my current configuration which which I hope to test tomorrow -
>
> http_port 10.20.1.1:80
> http_port 10.20.1.1:443
>
> acl All src 0/0
> acl Manager proto cache_object
> acl Localhost src 127.0.0.1/32
> acl Safe_ports port 80 443
> acl SSL_ports 443
> acl CONNECT method CONNECT
> acl MyNetwork src 200.168.0.0/16
>
> http_access allow Manager Localhost
> http_access deny Manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow MyNetwork
> http_access deny All
>
> To test this, I will attempt to access the "Network B" server from a machine on "Network A". In doing this, I will configure the browser proxy settings on the "Network A" machine as follows -
>
> HTTP Proxy: 10.20.1.1:80
> SSL Proxy: 10.20.1.1:443
>
> And then attempt to access content from Network B. Does this sound correct?
>

The HTTP part looks fine, but you won't be able to make a secure
connection on port 443. It's set up as a http_port, not a https_port,
for start. You can proxy secure connections over a http_port (it uses a
tunneling method called "CONNECT").

> Secondly, is it possible to do the above using a transparent proxy instead?

Transparent to your clients, yes. Set it up as a reverse proxy
(accelerator) and have your clients on "Network A" connect to the proxy
(via DNS or IP) instead of the server on "Network B".

> I'm a little bit confused about ssl and man in the middle attacks. If I don't wish to configure the proxies settings on all machines in network A, should I be looking at configuring the iptables on the linux machine so that they forward the sll packets? I'm still a little unsure when it comes to configuring iptables...
>
> Thanks for your help,
>
> Barry.

Chris
Received on Thu May 21 2009 - 22:37:18 MDT

This archive was generated by hypermail 2.2.0 : Fri May 22 2009 - 12:00:01 MDT