Re: [squid-users] HTTPS &Reverse proxy

From: Adam Lang <aalang@dont-contact.us>
Date: Wed, 18 Apr 2001 11:25:59 -0400

----- Original Message -----
From: "Chemolli Francesco (USI)" <ChemolliF@GruppoCredit.it>
To: "'Adam Lang'" <aalang@rutgersinsurance.com>
Cc: "Squid Users" <squid-users@squid-cache.org>
Sent: Wednesday, April 18, 2001 10:39 AM
Subject: RE: [squid-users] HTTPS &Reverse proxy

> Never EVER trust a network that blindly, as private as it may be.
> IF you want to do something like that, put ANOTHER network behind squid
> and put your hosts there. Also, enable firewalling on the
> squid host host *and use it* to strengthen it as much as possible.
> Of course you have to disable everything but Squid on that host, MAYBE
> enable a VERY RECENT openssh or ssh2 to administer it.
> Then MAYBE you have something similar to a faded image of an almost
> semi-trustable network. Of course the backend net must not be
> routed in any way. Having it on switches will help performance and
> add a tiny amount of trustability (VERY tiny, mind you).

Good point. Basic security rules still need to be applied. It is not a
reason to slack off. But the point I was raising is that instead of dumping
that much work into three webserves, you dump that much work into one squid
server and add modest security between squid and the webservers.

But the more security, the better.
Received on Wed Apr 18 2001 - 09:23:12 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:59:22 MST