Re: [squid-users] Squid + multiuser + firewall

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 23 Mar 2009 11:45:18 +1200 (NZST)

> I have a network with the computers (for the purposes of this exercise).
>
> Anubis: firewall/gateway
> Athena: dual-seat workstation
> Selene: four-seat workstation, server, squid box
>
> I want to set up transparent proxying. I don't trust my control over
> Athena. It can be compromised.
>
> The setup I want:
>
> Anubis sends all requests for port 80 to selene port 3128
> Selene does the proxy thing, and sends the packet out via Anubis to the
> www.
>
> So the problem with the above is that I want Anubis to only accept those
> packets which originate with the proxy user on Selene, not any of the
> other users on Selene.
>
> I absolutely do not want a user on Athena to be able to get out on the
> web without going through the proxy, and I am assuming that Athena is
> compromised.
>
> I can think of a couple of other ways of doing this, but all leave open
> the possibility of a user on Selene getting out on the web without going
> through the proxy.
>
> The only way I can think of doing this is to set up Selene as the
> gateway, have Anubis refuse all connections to port 80 except those
> originating on Selene, and then firewall the output chain on Selene to
> only allow the proxy user via the uid option of the owner module.
>
> Is anyone doing this - multiple users on the squid box?
>
> --Yan
>

Do that port-80 block for all IPs except the proxy.
Use authentication on the proxy.

http://wiki.squid-cache.org/ConfigExamples is a good place to start
looking at how to do auth.

Amos
Received on Sun Mar 22 2009 - 23:45:22 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 23 2009 - 12:00:02 MDT