Re: [squid-users] Quick question on using squid as a reverse proxy
On Fri, Apr 25, 2008 at 04:05:19PM -0400, Steven Pfister wrote: > > Does Apache + mod_security allow reverse proxying to https servers? The > server is using both http and https currently, and I don't know enough > about the actual server to know if doing everything over http is feasible. Apache supports SSL just fine in any direction. You should google or ask more in Apache lists. > Does squid do reverse proxying for https servers? Does it have anything > like mod_security? I've read a little about squidguard... is that > something I want to look at? If you want to do anything more "serious" than checking for URLs, you need mod_security, it has lots of ready rules if you are not able to come up with your own. SquidGuard is nothing more than a URL blocker. Squid cannot do anything more than simple checks on URL or headers.
Re: [squid-users] Quick question on using squid as a reverse proxy
fre 2008-04-25 klockan 09:51 -0400 skrev Steven Pfister: > Does squid as it's installed do any kind of checking of URLs for signs of > attacks, or does something additional need to be installed (and what's > popular for that)? Squid checks that the request is a properly formed HTTP request, which stops a large number of bad things, but not all. Additionally you can apply several types of ACLs to further restrict the forwarded traffic based on - method - requested URL (pattern) - HTTP request headers (pattern) Regards Henrik
Re: [squid-users] Quick question on using squid as a reverse proxy
Does Apache + mod_security allow reverse proxying to https servers? The server is using both http and https currently, and I don't know enough about the actual server to know if doing everything over http is feasible. Does squid do reverse proxying for https servers? Does it have anything like mod_security? I've read a little about squidguard... is that something I want to look at? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email [EMAIL PROTECTED] >>> Henrik K <[EMAIL PROTECTED]> 4/25/2008 10:15 AM >>> On Fri, Apr 25, 2008 at 09:51:53AM -0400, Steven Pfister wrote: > > Does squid as it's installed do any kind of checking of URLs for signs of > attacks, or does something additional need to be installed (and what's > popular for that)? More likely you would want to use Apache with mod_security as reverse proxy. Exactly made for that purpose.
Re: [squid-users] Quick question on using squid as a reverse proxy
Steven Pfister wrote: > Besides taking away direct access to the webserver (and any vulnerabilities > it may have) and providing some caching for static content, what are some > other advantages of using squid this way? I'm trying to help put together a > security recommendation. > Squid can terminate an SSL connection and then speak HTTP to the real server, allowing you to secure the outside access without having to SSL-enable all inside access. If you do this with multiple servers, you can use a single wildcard SSL certificate on the squid box to cover all your inside servers, which saves money. We do this. -- CONFIDENTIALITY NOTICE: This e-mail message,including any attachments,is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient,please contact the sender by reply e-mail and destroy all copies of the original message. begin:vcard fn:Ben Hollingsworth n:Hollingsworth;Ben org:BryanLGH Medical Center;Information Technology adr:;;1600 S. 48th St.;Lincoln;NE;68506-1275;USA email;internet:[EMAIL PROTECTED] title:Systems Programmer tel;work:402-481-8582 tel;fax:402-481-8354 url:http://www.bryanlgh.org version:2.1 end:vcard
Re: [squid-users] Quick question on using squid as a reverse proxy
Thank you... I'll definitely check into that. Is there any where that lists a minimum hardware spec for using Apache that way? --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email [EMAIL PROTECTED] >>> Henrik K <[EMAIL PROTECTED]> 4/25/2008 10:15 AM >>> On Fri, Apr 25, 2008 at 09:51:53AM -0400, Steven Pfister wrote: > > Does squid as it's installed do any kind of checking of URLs for signs of > attacks, or does something additional need to be installed (and what's > popular for that)? More likely you would want to use Apache with mod_security as reverse proxy. Exactly made for that purpose.
Re: [squid-users] Quick question on using squid as a reverse proxy
On Fri, Apr 25, 2008 at 09:51:53AM -0400, Steven Pfister wrote: > > Does squid as it's installed do any kind of checking of URLs for signs of > attacks, or does something additional need to be installed (and what's > popular for that)? More likely you would want to use Apache with mod_security as reverse proxy. Exactly made for that purpose.
[squid-users] Quick question on using squid as a reverse proxy
We've thinking of using squid as a reverse proxy as part of a plan to open up access to a particular web site to outside users. Does squid as it's installed do any kind of checking of URLs for signs of attacks, or does something additional need to be installed (and what's popular for that)? Besides taking away direct access to the webserver (and any vulnerabilities it may have) and providing some caching for static content, what are some other advantages of using squid this way? I'm trying to help put together a security recommendation. Thanks! --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email [EMAIL PROTECTED]
