Sean Kamath writes:

> Just which hosts and ports?  No caching?

Sorry, I should have given a better description ...

We proxy http, https, and rsync.  squid functions as a simple L7
relay for those protocols.  The purpose of the proxy is to restrict
1) which internal hosts can establish outbound connections in the
first place, and 2) which hosts they can connect to.  E.g., our
admin hosts that handle billing can only connect to our payment
processor's services.  The server that front-ends the internal help
desk can only connect to hubscout.  Etc.  Pretty simple, we just
don't want to make it easy for people to exfiltrate data if they
do manage to get a foothold inside.

There's also the issue of most of our internal infrastructure servers
running in 1918 address space.  We don't NAT at the border, so the
proxy is their only way out (again, by design).

> Kinda sounds like a pf.conf solution. . .  Maybe with relay to relay everythi
> ng through a firewall?

That's how we used to do it.  The problem is upstream services
change their IP addresses on a surprisingly frequent basis, and
they don't always let people know this is happening.  By using the
proxy, I no longer have to hardwire and keep track of IP addresses.
The squid ACLs serve as the L7 "firewall", and we have a single
rule on the border firewall that allows the proxy host unfettered
access to ports 80, 443, and 873.

--lyndon

Reply via email to