Squid security and function as an HTTP accelerator

From: Reuben Farrelly <[email protected]>
Date: Tue, 14 Mar 2000 20:44:40 +1100

Hi people,

As part of my work at an ISP, I'm involved in the design/implementation of
"client side" servers which will sit on the clients side of a network link
to us. These Linux boxes are going on the clients side for a number of
reasons, but mainly to act as gateway devices on which we are going to run
a small number of services, usually just Squid and a relaying qmail
daemon. These boxes will have two NIC's in them, one with a routable and
another with an unroutable address. There will be by default, no routing
or nat between the NIC cards as Squid should listen on both interfaces.

The intention is to make the box very secure (no logins except from a very
specific list of IP addresses), and also to hide other services on internal
address space behind the box, but make the services available to the wider
world as well. This will also give us access to logs which show the
traffic out of the network.

I'm looking at using Squid to do two functions here:

* A typical squid proxy for clients on the internal networks
* An HTTP accelerator for visitors to the web site on the external interface

But I have a few questions:

1. Would squid (running as user squid, not root of course) be regarded as
"safe" compared to using NAT? I'm talking in terms of preventing direct
access from the customers LAN to the outside world, and also preventing
direct connections into the LAN (hoping to avoid reverse NAT). I haven't
read of any security issues but would prefer to ask than just assume :>

2. If I use Squid also as an HTTP accelerator, would it be safer than
running a web server on a routable address, I'm thinking of shielding the
world from (as an example) a Microsoft IIS server which seems to have been
the subject of some security holes. Would Squid on a routable address,
accelerating in front of this server make this a much safer setup than
direct access to the IIS via reverse NAT (from a routable address on the
proxy to the web server on the unroutable segment)?

3. Using Squid for both an accelerator and a proxy, do I need to define any
ACL's specifically for the accelerator component? While the world can
access the accelerated service, they shouldn't be able to use the box as a
cache...that's for internal clients only.

And lastly. It's been on this list a few times but not lately, what's the
ratio of memory to disk space typically used - does 1MB RAM accomodate
about 25MB of disk storage space? [Correct me if I am wrong]

Thanks for any answers. Alternative suggestions are also welcome...I have
a feeling about some of the answers, but just want to be more sure before I
look more like an idiot if something doesn't work as I anticipate ;)

reuben
-------------------------------------------------------------
Reuben Farrelly West Ryde, NSW 2114, Australia
Received on Tue Mar 14 2000 - 02:48:50 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:52:06 MST