Sean Kamath writes: > Just which hosts and ports? No caching?
Sorry, I should have given a better description ... We proxy http, https, and rsync. squid functions as a simple L7 relay for those protocols. The purpose of the proxy is to restrict 1) which internal hosts can establish outbound connections in the first place, and 2) which hosts they can connect to. E.g., our admin hosts that handle billing can only connect to our payment processor's services. The server that front-ends the internal help desk can only connect to hubscout. Etc. Pretty simple, we just don't want to make it easy for people to exfiltrate data if they do manage to get a foothold inside. There's also the issue of most of our internal infrastructure servers running in 1918 address space. We don't NAT at the border, so the proxy is their only way out (again, by design). > Kinda sounds like a pf.conf solution. . . Maybe with relay to relay everythi > ng through a firewall? That's how we used to do it. The problem is upstream services change their IP addresses on a surprisingly frequent basis, and they don't always let people know this is happening. By using the proxy, I no longer have to hardwire and keep track of IP addresses. The squid ACLs serve as the L7 "firewall", and we have a single rule on the border firewall that allows the proxy host unfettered access to ports 80, 443, and 873. --lyndon