Re: [squid-users] Squid: reverse proxy security advantages

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 09 Feb 2010 16:54:15 +1300

Jeff Peng wrote:
> 在 2010-02-08一的 22:14 -0300,Alejandro Facultad写道:
>> Dear all, I have a webmail which must be accesed by users from another
>> network.
>>
>>
>> The content of the webmail is not static obviously, so the content caching
>> is not an advantage here. Also the webmail is just one server, not load
>> balancing is important here.
>>
>>
>> So are there any security advantage of using a Squid as a reverse proxy in
>> front of my webmail ??? Because I can't see any security benefit...

DDoS reduction? Squid raises your server traffic threshold for DDoS
attack before it falls over by several order of magnitude.
Then there is the source security controls Jeff points out below.

>
> At some points you can consider Squid as an application firewall, and
> setup some rules like:
>
> acl badip src 192.168.0.100
> http_access deny badip
>
> acl badsite referer_regex -i qq.com
> http_access deny badsite
>
> acl badconn maxconn 20
> http_access deny badconn
>
> acl badbrow browser -i Sosospider
> http_access deny badbrow
>
>
> Those may help improve some security,but it depends...
> Squid is just a cache, if you don't need the cache feature, you may not
> want to use it.
>

"just a cache" ha!

It's a general-use HTTP proxy. Doing load balancing, full set of CDN
features for HTTP-as-service, HTTP flow redirection/reflection,
bandwidth shaping, caching, HTTP security, and protocol conversion.

I'm sure I've left off a bunch of things too.

But yes, I see the point, Squid might not be _that_ beneficial for a
single load-critical non-cachable app.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE23
   Current Beta Squid 3.1.0.16
Received on Tue Feb 09 2010 - 03:54:26 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 09 2010 - 12:00:04 MST