Re: [expert] Configuring Squid
Heya Steve, > > > > If you get REALLY stuck, grab a 486 / low end pentium, and simply run > > junk buster on that - that way you can get away with stuff all in expenses, > > and all you have to do is redirect requests to the junkbuster/486, and only > > allow access to squid from the jb/486 machine ? considering all it will be > > doing is acting as a data pump, you could quite easily get away with it - > > worst case is that you'll have to get a p100 or something =] > > I've taken the advice from Bug Hunter in a previous mail and modified > the configuration of Squid to only accept requests from localhost. So, > that little problem is out of the way. no problemo - probably a lil easier than doing it my way =] > Thanks for the 486 idea though! We've got a pile of them sitting in the > corner just WAITING for a use... Linux might be their salvation. Maybe > a nice closet cluster? :) depends on your task - if you've got the time and patience - read up on the Beowulf project =] or again, stick an OS on them, and give them to a smaller school etc, and let them play with them - hell you might even get a tax write off =] Zak > > > > What if you made squid run on a different port? i.e. you could > > > > have it so that its set for 58347 (etc) and junkbuster talks to that - > > > > alternatively - add a line to /etc/hosts.deny, denying all access to > > > > port 3128, except for local host? > > > > > > The problem with the first solution is that there's still port > > > available for a wily user to attach to and get unfiltered > > > access to the 'net. Making it a different port doesn't do much except > > > stop a person from reading Squid docs to find out where it listens > > > normally. > > > > > > The problem with the second idea is that Squid doesn't run through > > > tcp_wrappers, so it ignores /etc/hosts.*. Running it through > > > tcp_wrappers is NOT an option -- the performance hit would be horrible, > > > I'd imagine... > > > > > > Thanks for the ideas, though. I _think_ I remember seeing a > > > configuration option in squid.conf to limit who it listens to. Since > > > all accesses should be from localhost, I think I can deny cache use to > > > anything else. I'll give it a try and send my results to the list. > > > > > > -- > > > Steve Philp > > > > > > > > > > - Original Message - > > > > From: Steve Philp <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Thursday, August 05, 1999 8:13 AM > > > > Subject: [expert] Configuring Squid > > > > > > > > > Hello all! > > > > > > > > > > I'm having a problem that maybe someone here can help me with... > > > > > > > > > > I've setup a proxy server running Junkbuster and Squid for Internet > > > > > access from our corporate network. > > > > > > > > > > Direct Internet access is forbidden by the router, allowing only > > traffic > > > > > which comes from the proxy server. Clients are expected to talk to > > the > > > > > Junkbuster proxy in order to reach the Internet (this allows us to > > > > > filter and block extremely easily). The Junkbuster proxy talks to the > > > > > Squid proxy to cache all requests. > > > > > > > > > > All of this is working fine, and I'm extremely happy with the "useless > > > > > box in the closet" as it was known prior to its new Linux life. > > > > > > > > > > Our problem comes here: > > > > > > > > > > _IF_ our clients leave the proxy configured as we set it, they talk to > > > > > Junkbuster and get filtered access to the net. However, they _could_ > > > > > change the port from 8000 to 3128 and talk to Squid instead, yielding > > > > > unfiltered access. > > > > > > > > > > Does anyone know of a way to limit Squid so that it will only talk to > > > > > Junkbuster? I'd like to simply throw an error page if someone tries > > to > > > > > talk to Squid directly. > > > > > > > > > > Any hints would be extremely appreciated! > > > > > > > > > > -- > > > > > Steve Philp > > > > > Network Administrator > > > > > Advance Packaging Corporation > > > > > [EMAIL PROTECTED] > > > > > > > > >
Re: [expert] Configuring Squid
Zak McKracken wrote: > > Hey again Steve, > > If you get REALLY stuck, grab a 486 / low end pentium, and simply run > junk buster on that - that way you can get away with stuff all in expenses, > and all you have to do is redirect requests to the junkbuster/486, and only > allow access to squid from the jb/486 machine ? considering all it will be > doing is acting as a data pump, you could quite easily get away with it - > worst case is that you'll have to get a p100 or something =] I've taken the advice from Bug Hunter in a previous mail and modified the configuration of Squid to only accept requests from localhost. So, that little problem is out of the way. Thanks for the 486 idea though! We've got a pile of them sitting in the corner just WAITING for a use... Linux might be their salvation. Maybe a nice closet cluster? :) > > > What if you made squid run on a different port? i.e. you could > > > have it so that its set for 58347 (etc) and junkbuster talks to that - > > > alternatively - add a line to /etc/hosts.deny, denying all access to > > > port 3128, except for local host? > > > > The problem with the first solution is that there's still port > > available for a wily user to attach to and get unfiltered > > access to the 'net. Making it a different port doesn't do much except > > stop a person from reading Squid docs to find out where it listens > > normally. > > > > The problem with the second idea is that Squid doesn't run through > > tcp_wrappers, so it ignores /etc/hosts.*. Running it through > > tcp_wrappers is NOT an option -- the performance hit would be horrible, > > I'd imagine... > > > > Thanks for the ideas, though. I _think_ I remember seeing a > > configuration option in squid.conf to limit who it listens to. Since > > all accesses should be from localhost, I think I can deny cache use to > > anything else. I'll give it a try and send my results to the list. > > > > -- > > Steve Philp > > > > > > > - Original Message - > > > From: Steve Philp <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Thursday, August 05, 1999 8:13 AM > > > Subject: [expert] Configuring Squid > > > > > > > Hello all! > > > > > > > > I'm having a problem that maybe someone here can help me with... > > > > > > > > I've setup a proxy server running Junkbuster and Squid for Internet > > > > access from our corporate network. > > > > > > > > Direct Internet access is forbidden by the router, allowing only > traffic > > > > which comes from the proxy server. Clients are expected to talk to > the > > > > Junkbuster proxy in order to reach the Internet (this allows us to > > > > filter and block extremely easily). The Junkbuster proxy talks to the > > > > Squid proxy to cache all requests. > > > > > > > > All of this is working fine, and I'm extremely happy with the "useless > > > > box in the closet" as it was known prior to its new Linux life. > > > > > > > > Our problem comes here: > > > > > > > > _IF_ our clients leave the proxy configured as we set it, they talk to > > > > Junkbuster and get filtered access to the net. However, they _could_ > > > > change the port from 8000 to 3128 and talk to Squid instead, yielding > > > > unfiltered access. > > > > > > > > Does anyone know of a way to limit Squid so that it will only talk to > > > > Junkbuster? I'd like to simply throw an error page if someone tries > to > > > > talk to Squid directly. > > > > > > > > Any hints would be extremely appreciated! > > > > > > > > -- > > > > Steve Philp > > > > Network Administrator > > > > Advance Packaging Corporation > > > > [EMAIL PROTECTED] > > > > > >
Re: [expert] Configuring Squid
Hey again Steve, If you get REALLY stuck, grab a 486 / low end pentium, and simply run junk buster on that - that way you can get away with stuff all in expenses, and all you have to do is redirect requests to the junkbuster/486, and only allow access to squid from the jb/486 machine ? considering all it will be doing is acting as a data pump, you could quite easily get away with it - worst case is that you'll have to get a p100 or something =] Zak > > What if you made squid run on a different port? i.e. you could > > have it so that its set for 58347 (etc) and junkbuster talks to that - > > alternatively - add a line to /etc/hosts.deny, denying all access to > > port 3128, except for local host? > > The problem with the first solution is that there's still port > available for a wily user to attach to and get unfiltered > access to the 'net. Making it a different port doesn't do much except > stop a person from reading Squid docs to find out where it listens > normally. > > The problem with the second idea is that Squid doesn't run through > tcp_wrappers, so it ignores /etc/hosts.*. Running it through > tcp_wrappers is NOT an option -- the performance hit would be horrible, > I'd imagine... > > Thanks for the ideas, though. I _think_ I remember seeing a > configuration option in squid.conf to limit who it listens to. Since > all accesses should be from localhost, I think I can deny cache use to > anything else. I'll give it a try and send my results to the list. > > -- > Steve Philp > > > > - Original Message - > > From: Steve Philp <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, August 05, 1999 8:13 AM > > Subject: [expert] Configuring Squid > > > > > Hello all! > > > > > > I'm having a problem that maybe someone here can help me with... > > > > > > I've setup a proxy server running Junkbuster and Squid for Internet > > > access from our corporate network. > > > > > > Direct Internet access is forbidden by the router, allowing only traffic > > > which comes from the proxy server. Clients are expected to talk to the > > > Junkbuster proxy in order to reach the Internet (this allows us to > > > filter and block extremely easily). The Junkbuster proxy talks to the > > > Squid proxy to cache all requests. > > > > > > All of this is working fine, and I'm extremely happy with the "useless > > > box in the closet" as it was known prior to its new Linux life. > > > > > > Our problem comes here: > > > > > > _IF_ our clients leave the proxy configured as we set it, they talk to > > > Junkbuster and get filtered access to the net. However, they _could_ > > > change the port from 8000 to 3128 and talk to Squid instead, yielding > > > unfiltered access. > > > > > > Does anyone know of a way to limit Squid so that it will only talk to > > > Junkbuster? I'd like to simply throw an error page if someone tries to > > > talk to Squid directly. > > > > > > Any hints would be extremely appreciated! > > > > > > -- > > > Steve Philp > > > Network Administrator > > > Advance Packaging Corporation > > > [EMAIL PROTECTED] > > > >
Re: [expert] Configuring Squid
Zak McKracken wrote: > > Hey Steve, > > What if you made squid run on a different port? i.e. you could > have it so that its set for 58347 (etc) and junkbuster talks to that - > alternatively - add a line to /etc/hosts.deny, denying all access to > port 3128, except for local host? The problem with the first solution is that there's still port available for a wily user to attach to and get unfiltered access to the 'net. Making it a different port doesn't do much except stop a person from reading Squid docs to find out where it listens normally. The problem with the second idea is that Squid doesn't run through tcp_wrappers, so it ignores /etc/hosts.*. Running it through tcp_wrappers is NOT an option -- the performance hit would be horrible, I'd imagine... Thanks for the ideas, though. I _think_ I remember seeing a configuration option in squid.conf to limit who it listens to. Since all accesses should be from localhost, I think I can deny cache use to anything else. I'll give it a try and send my results to the list. -- Steve Philp > - Original Message - > From: Steve Philp <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, August 05, 1999 8:13 AM > Subject: [expert] Configuring Squid > > > Hello all! > > > > I'm having a problem that maybe someone here can help me with... > > > > I've setup a proxy server running Junkbuster and Squid for Internet > > access from our corporate network. > > > > Direct Internet access is forbidden by the router, allowing only traffic > > which comes from the proxy server. Clients are expected to talk to the > > Junkbuster proxy in order to reach the Internet (this allows us to > > filter and block extremely easily). The Junkbuster proxy talks to the > > Squid proxy to cache all requests. > > > > All of this is working fine, and I'm extremely happy with the "useless > > box in the closet" as it was known prior to its new Linux life. > > > > Our problem comes here: > > > > _IF_ our clients leave the proxy configured as we set it, they talk to > > Junkbuster and get filtered access to the net. However, they _could_ > > change the port from 8000 to 3128 and talk to Squid instead, yielding > > unfiltered access. > > > > Does anyone know of a way to limit Squid so that it will only talk to > > Junkbuster? I'd like to simply throw an error page if someone tries to > > talk to Squid directly. > > > > Any hints would be extremely appreciated! > > > > -- > > Steve Philp > > Network Administrator > > Advance Packaging Corporation > > [EMAIL PROTECTED] > >
Re: [expert] Configuring Squid
I believe in the squid configuration file you can limit who can talk to the squid to a single network or ip. ( I know the single network works). so, if you use ip_alias to configure your ethernet to be 172.16.31.1 and only enable 172.16.31.x network to talk to it, then if you put in your /etc/hosts file 172.16.31.1 squid_local and then tell junkbuster to go throught 172.16.31.1 for its internet access, then it should hide the 3128 from the network. bug On Wed, 4 Aug 1999, Steve Philp wrote: > Hello all! > > I'm having a problem that maybe someone here can help me with... > > I've setup a proxy server running Junkbuster and Squid for Internet > access from our corporate network. > > Direct Internet access is forbidden by the router, allowing only traffic > which comes from the proxy server. Clients are expected to talk to the > Junkbuster proxy in order to reach the Internet (this allows us to > filter and block extremely easily). The Junkbuster proxy talks to the > Squid proxy to cache all requests. > > All of this is working fine, and I'm extremely happy with the "useless > box in the closet" as it was known prior to its new Linux life. > > Our problem comes here: > > _IF_ our clients leave the proxy configured as we set it, they talk to > Junkbuster and get filtered access to the net. However, they _could_ > change the port from 8000 to 3128 and talk to Squid instead, yielding > unfiltered access. > > Does anyone know of a way to limit Squid so that it will only talk to > Junkbuster? I'd like to simply throw an error page if someone tries to > talk to Squid directly. > > Any hints would be extremely appreciated! > > -- > Steve Philp > Network Administrator > Advance Packaging Corporation > [EMAIL PROTECTED] >
Re: [expert] Configuring Squid
Hey Steve, What if you made squid run on a different port? i.e. you could have it so that its set for 58347 (etc) and junkbuster talks to that - alternatively - add a line to /etc/hosts.deny, denying all access to port 3128, except for local host? Zak - Original Message - From: Steve Philp <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, August 05, 1999 8:13 AM Subject: [expert] Configuring Squid > Hello all! > > I'm having a problem that maybe someone here can help me with... > > I've setup a proxy server running Junkbuster and Squid for Internet > access from our corporate network. > > Direct Internet access is forbidden by the router, allowing only traffic > which comes from the proxy server. Clients are expected to talk to the > Junkbuster proxy in order to reach the Internet (this allows us to > filter and block extremely easily). The Junkbuster proxy talks to the > Squid proxy to cache all requests. > > All of this is working fine, and I'm extremely happy with the "useless > box in the closet" as it was known prior to its new Linux life. > > Our problem comes here: > > _IF_ our clients leave the proxy configured as we set it, they talk to > Junkbuster and get filtered access to the net. However, they _could_ > change the port from 8000 to 3128 and talk to Squid instead, yielding > unfiltered access. > > Does anyone know of a way to limit Squid so that it will only talk to > Junkbuster? I'd like to simply throw an error page if someone tries to > talk to Squid directly. > > Any hints would be extremely appreciated! > > -- > Steve Philp > Network Administrator > Advance Packaging Corporation > [EMAIL PROTECTED] >
[expert] Configuring Squid
Hello all! I'm having a problem that maybe someone here can help me with... I've setup a proxy server running Junkbuster and Squid for Internet access from our corporate network. Direct Internet access is forbidden by the router, allowing only traffic which comes from the proxy server. Clients are expected to talk to the Junkbuster proxy in order to reach the Internet (this allows us to filter and block extremely easily). The Junkbuster proxy talks to the Squid proxy to cache all requests. All of this is working fine, and I'm extremely happy with the "useless box in the closet" as it was known prior to its new Linux life. Our problem comes here: _IF_ our clients leave the proxy configured as we set it, they talk to Junkbuster and get filtered access to the net. However, they _could_ change the port from 8000 to 3128 and talk to Squid instead, yielding unfiltered access. Does anyone know of a way to limit Squid so that it will only talk to Junkbuster? I'd like to simply throw an error page if someone tries to talk to Squid directly. Any hints would be extremely appreciated! -- Steve Philp Network Administrator Advance Packaging Corporation [EMAIL PROTECTED]