[squid-users] Final Peer Reivew of Config

From: Eric Kahklen <[email protected]>
Date: Wed, 10 Mar 2004 11:02:01 -0800

I am getting ready test this out on the internet and wondered if anyone
could see any major security problems or miss configurations. I've
removed anything that I didn't think was necessary and left some things
in that I couldn't determine were needed or not. This is going to be
used for a reverse proxy (accelorator) with Exchange 2000. [Internet] -
[Firewall - port 443] - [Squid] - [Exchange/OWA - 2000]

Thanks,

Eric

#squid.conf
https_port 443 cert=/etc/squid/key-cert.pem defaultsite=mail.company.org
cache_peer 10.0.0.1 parent 80 0 proxy-only no-query no-digest
front-end-https=on login=pass
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_replacement_policy heap
memory_replacement_policy heap
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
# ACLs
# Base ACLs
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl http proto http
acl port80 port 80
acl https proto https
acl port443 port 443

# Only Allow cachemgr access from localhost
acl manager proto cache_object
http_access allow manager localhost
http_access deny manager

# Allow access to our servers
acl Exchangebox dstdomain mail.company.org
http_access allow https port443 Exchangebox

# Deny all other access to this proxy
http_access deny all

# Disable ICP
icp_port 0
Received on Wed Mar 10 2004 - 12:03:33 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:02 MST